Denes Arvay created FLUME-3160:
----------------------------------
Summary: http-generic-click-jacking reported for the metrics server
Key: FLUME-3160
URL: https://issues.apache.org/jira/browse/FLUME-3160
Project: Flume
Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Denes Arvay
Priority: Trivial
Vulnerability scanners report the HTTP metrics server vulnerable for
http-generic-click-jacking.
Although this isn't a big issue per se (it shouldn't be accessible publicly, no
unintended interaction can be done with it), but some audits might require this
to be fixed.
{noformat}
vulnerability ID : http-generic-click-jacking
Vulnerability Description : Clickjacking, also known as a UI redress attack, is
a method in which an attacker uses multiple transparent or opaque layers to
trick a user into clicking a button or link on a page other than the one they
believe they are clicking. Thus, the attacker is "hijacking" clicks meant for
one page and routing the user to an illegitimate page.
Affected ports : 41414
Vulnerability proof :
"* Running HTTP service
HTTP request to http://localhost:41414/
HTTP response code was an expected 200
1: text/html; charset=utf-8
HTTP header 'Content-Type' was present and matched expectation
HTTP header 'Content-Security-Policy' not present
HTTP header 'X-Frame-Options' not present"
{noformat}
The fix would be to add the X-Frame-Options header with the proper value.
For more information see:
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
