Cross-Site Framing Vulnerability Test (Clickjacking)

Ethan Blanton elb at pidgin.im
Mon Nov 17 10:36:50 EST 2014


Paras Katiyar spake unto us the following wisdom:
> I am Paras Katiyar, a security researcher from India. While surfing
> your website i came across some vulnerabilities.
> 
> #1 Clickjacking
> 
> Severity - HIGH
> 
> Vulnerable URL - http://pidgin.im/security/
> 
> Vulnerability details - According to this vulnerability the page at
> http://pidgin.im/security/ can be framed into some other html pages
> which can be used by attacker to perform malicious attacks.

Paras,

There are no forms, scripts, applications, etc. on this site, so the
damage that can be done by embedding it is very little.  Your
indication of "HIGH" security seems to indicate that you have issued
this notice without really understanding the problem -- probably via
some sort of automated tool.

While we have been moving our sites to include X-Frame-Options:
headers, and this site will eventually be so configured, we do not
consider this a critical vulnerability.  Note that those portions of
our site(s) which do allow form input and/or authentication (e.g.,
https://developer.pidgin.im/) both require SSL and provide
X-Frame-Options: DENY.

If you have some reason to believe that our analysis is flawed, please
include detailed information (not copied and pasted from, e.g.,
Wikipedia) as to where we have missed an important point.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141117/0523d1a2/attachment.sig>


More information about the security mailing list