-
Title
FMS reportedly vulnerable to the "Clickjacking" vulnerability. -
Description
Clickjacking is a vulnerability that causes an end user to unintentionally click invisible content on a web page, typically placed on top of the content they think they are clicking. This vulnerability can cause fraudulent or malicious transactions.
One way to prevent clickjacking is by setting the X-Frame-Options response HTTP header with the page response. This prevents the page content from being rendered by another site when using iFrame HTML tags. This approach is implemented in Foglight.
However, the Management Server does not use the X-Frame-Options response header in the following pages:
- https://fms_url:8443/aui/wcf?name=general-view-aui-wrapper&viewId=system:administration_home.159
- https://fms_url:8443/aui/assets/images/icons/
- https://fms_url:8443/aui/assets/scripts/
- https://fms_url:8443/startup/?redirectURI=
- https://fms_url:8443/aui/
-
Resolution
WORKAROUND
None.
STATUS
This issue was logged as FOG-5090 and has been fixed in the 6.3 and higher releases of Foglight. This did not include the page for
/startup/?redirectURI=The remaining issue was logged as FOG-7221 and will be fixed in the 7.2 and higher releases of Foglight.
-
Defect ID
FOG-5090,FOG-7221