Voltar
-
Título
FMS port 8443 reportedly vulnerable to the "Clickjacking" vulnerability. -
Descrição
Clickjacking is a vulnerability that causes an end user to unintentionally click invisible content on a web page, typically placed on top of the content they think they are clicking. This vulnerability can cause fraudulent or malicious transactions. One way to prevent clickjacking is by setting the X-Frame-Options response HTTP header with the page response. This prevents the page content from being rendered by another site when using iFrame HTML tags. This approach is implemented in Foglight. However, the Management Server does not use the X-Frame-Options response header in the following pages:
- https://fms_url:8443/aui/wcf?name=general-view-aui-wrapper&viewId=system:administration_home.159
- https://fms_url:8443/aui/assets/images/icons/
- https://fms_url:8443/aui/assets/scripts/
- https://fms_url:8443/startup/?redirectURI=
- https://fms_url:8443/aui/
-
Resolução
WORKAROUNDNone.
STATUS
Waiting for fix in a future release of the Foglight Management Server.
Please refer to Foglight™ Security and Compliance Guide for additional information.