Details
-
Bug
-
Status: Open
-
Trivial
-
Resolution: Unresolved
-
1.7.0
-
None
-
None
Description
Vulnerability scanners report the HTTP metrics server vulnerable for http-generic-click-jacking.
Although this isn't a big issue per se (it shouldn't be accessible publicly, no unintended interaction can be done with it), but some audits might require this to be fixed.
vulnerability ID : http-generic-click-jacking Vulnerability Description : Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page. Affected ports : 41414 Vulnerability proof : "* Running HTTP service HTTP request to http://localhost:41414/ HTTP response code was an expected 200 1: text/html; charset=utf-8 HTTP header 'Content-Type' was present and matched expectation HTTP header 'Content-Security-Policy' not present HTTP header 'X-Frame-Options' not present"
The fix would be to add the X-Frame-Options header with the proper value.
For more information see: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx