From dc03bca76cf5b7cb48d98d1ce245fc65b98be929 Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Mon, 2 Nov 2015 12:11:17 -0500 Subject: [PATCH] Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks Web pages that can be embedded in frames are vulnerable to cross-frame scripting attacks. Cross-frame scripting is a type of phishing attack that involves instructions to an unsuspecting user to follow a specific link to update confidential information in an online application. Because the link leads to a legitimate page from the online application that is embedded in a frame hosted by the attackers' server, the attackers can capture all the information that the user enters. https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart Signed-off-by: Chris Cormack Signed-off-by: Kyle M Hall --- C4/Output.pm | 11 ++++++----- .../prog/en/includes/doc-head-close.inc | 12 ++++++++++++ .../bootstrap/en/includes/doc-head-close.inc | 12 ++++++++++++ 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/C4/Output.pm b/C4/Output.pm index 3ae4c6c0b8..0527d6546f 100644 --- a/C4/Output.pm +++ b/C4/Output.pm @@ -264,11 +264,12 @@ sub output_with_http_headers { my $cache_policy = 'no-cache'; $cache_policy .= ', no-store, max-age=0' if $extra_options->{force_no_caching}; my $options = { - type => $content_type_map{$content_type}, - status => $status, - charset => 'UTF-8', - Pragma => 'no-cache', - 'Cache-Control' => $cache_policy, + type => $content_type_map{$content_type}, + status => $status, + charset => 'UTF-8', + Pragma => 'no-cache', + 'Cache-Control' => $cache_policy, + 'X-Frame-Options' => 'DENY', }; $options->{expires} = 'now' if $extra_options->{force_no_caching}; diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/doc-head-close.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/doc-head-close.inc index f0b812e073..ec26a85712 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/doc-head-close.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/doc-head-close.inc @@ -2,6 +2,18 @@ [% USE AudioAlerts %] [% USE String %] + +[%# Prevent XFS attacks -%] + + + diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc index e346689687..0fa238b0a5 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc @@ -1,6 +1,18 @@ + +[%# Prevent XFS attacks -%] + + + [% IF ( bidi ) %] -- 2.39.5