Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks

Web pages that can be embedded in frames are vulnerable to cross-frame scripting attacks. Cross-frame scripting is a type of phishing attack that involves instructions to an unsuspecting user to follow a specific link to update confidential information in an online application. Because the link leads to a legitimate page from the online application that is embedded in a frame hosted by the attackers' server, the attackers can capture all the information that the user enters. https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2015-11-02 12:11:17 -05:00 · 2015-11-02 12:11:17 -05:00 · dc03bca76c
commit dc03bca76c
parent 665a0052a1
3 changed files with 30 additions and 5 deletions
--- a/C4/Output.pm
+++ b/C4/Output.pm
@ -264,11 +264,12 @@ sub output_with_http_headers {
    my $cache_policy = 'no-cache';
    $cache_policy .= ', no-store, max-age=0' if $extra_options->{force_no_caching};
    my $options = {
-        type    => $content_type_map{$content_type},
-        status  => $status,
-        charset => 'UTF-8',
-        Pragma          => 'no-cache',
-        'Cache-Control' => $cache_policy,
+        type              => $content_type_map{$content_type},
+        status            => $status,
+        charset           => 'UTF-8',
+        Pragma            => 'no-cache',
+        'Cache-Control'   => $cache_policy,
+        'X-Frame-Options' => 'DENY',
    };
    $options->{expires} = 'now' if $extra_options->{force_no_caching};

--- a/koha-tmpl/intranet-tmpl/prog/en/includes/doc-head-close.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/doc-head-close.inc
@ -2,6 +2,18 @@
 [% USE AudioAlerts %]
 [% USE String %]
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+[%# Prevent XFS attacks -%]
+<style id="antiClickjack">body{display:none !important;}</style>
+<script type="text/javascript">
+   if (self === top) {
+       var antiClickjack = document.getElementById("antiClickjack");
+       antiClickjack.parentNode.removeChild(antiClickjack);
+   } else {
+       top.location = self.location;
+   }
+</script>
+
 <link rel="shortcut icon" href="[% IF ( IntranetFavicon ) %][% IntranetFavicon %][% ELSE %][% interface %]/[% theme %]/img/favicon.ico[% END %]" type="image/x-icon" />

 <link rel="stylesheet" type="text/css" href="[% interface %]/lib/jquery/jquery-ui.css" />
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
@ -1,6 +1,18 @@
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Koha [% Version %]" /> <!-- leave this for stats -->
 <meta name="viewport" content="width=device-width, initial-scale=1" />
+
+[%# Prevent XFS attacks -%]
+<style id="antiClickjack">body{display:none !important;}</style>
+<script type="text/javascript">
+   if (self === top) {
+       var antiClickjack = document.getElementById("antiClickjack");
+       antiClickjack.parentNode.removeChild(antiClickjack);
+   } else {
+       top.location = self.location;
+   }
+</script>
+
 <link rel="shortcut icon" href="[% IF ( OpacFavicon ) %][% OpacFavicon %][% ELSE %][% interface %]/[% theme %]/images/favicon.ico[% END %]" type="image/x-icon" />
 [% IF ( bidi ) %]
    <link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/lib/bootstrap/css/bootstrap-rtl.min.css" />