Vulnerable URL pidgin.im

Shivam Khambe shivamkhambe98 at gmail.com
Fri Feb 1 14:05:57 EST 2019 

Hi pidgin.im Support Team
My Name Is SHIVAM KHAMBE From India
I Am Found  X-Frame-Options Header Not Set(ClickJacking'
attacks),application error disclosure,
Web Browser XSS Protection Not Enabled
The Vulnerable Domain Is :-
http://pidgin.im

Vulnerable URL Is Details
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20190202/30164fe2/attachment.html>
-------------- next part --------------

----------------------X-Frame-Options Header Not Set-------------------------------
Description	
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL	https://pidgin.im/pipermail/support/2009-May/017245.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2016-January/029242.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2008-September/015633.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2009-November/019463.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2014-July/thread.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2009-June/017770.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2010-February/020291.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2014-November/028265.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2018-June/030274.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2018-January/030150.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2013-October/027313.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2007-November/013589.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2010-March/020577.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2009-September/018824.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2013-March/026463.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2009-April/016991.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2009-December/019547.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2009-June/017839.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2010-January/019937.html
Method	GET
Parameter	X-Frame-Options
URL	https://pidgin.im/pipermail/support/2010-October/022036.html
Method	GET
Parameter	X-Frame-Options
Instances	17600
Solution	

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Reference	

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
CWE Id	16
WASC Id	15
Source ID 3

               -------------------Application Error Disclosure---------------

Description	

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
URL	https://pidgin.im/pipermail/support/2014-March/thread.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2009-July/018174.html
Method	GET
Evidence	internal error
URL	https://pidgin.im/pipermail/support/2009-July/017899.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-March/020593.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-March/020604.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-March/020592.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-March/subject.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2014-March/027735.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2014-April/027822.html
Method	GET
Evidence	internal error
URL	https://pidgin.im/pipermail/support/2009-July/018162.html
Method	GET
Evidence	internal error
URL	https://pidgin.im/pipermail/support/2009-July/017900.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-January/author.html
Method	GET
Evidence	Error Report
URL	https://pidgin.im/pipermail/support/2010-January/thread.html
Method	GET
Evidence	Error Report
URL	https://pidgin.im/pipermail/support/2010-January/subject.html
Method	GET
Evidence	Error Report
URL	https://pidgin.im/pipermail/support/2010-January/date.html
Method	GET
Evidence	Error Report
URL	https://pidgin.im/pipermail/support/2010-October/022009.html
Method	GET
Evidence	internal error
URL	https://pidgin.im/pipermail/support/2009-June/017516.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-March/author.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2010-March/thread.html
Method	GET
Evidence	Internal Server Error
URL	https://pidgin.im/pipermail/support/2009-July/017901.html
Method	GET
Evidence	Internal Server Error
Instances	44
Solution	

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
Reference	

CWE Id	200
WASC Id	13
Source ID 3
               --------------------X-Frame-Options Header Not Set--------------------------
                         
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL	http://pidgin.im/cgi-bin/mailman/options/cabal
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/robots.txt
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/subscribe/commits
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/options/wikiedit
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/options/support
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/subscribe/support
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/announce
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/about/
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/admin/wikiedit
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/create
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/sitemap.xml
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/support
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/wikiedit
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/support
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/admin
Method	GET
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/listinfo/wikiedit
Method	POST
Parameter	X-Frame-Options
URL	http://pidgin.im/cgi-bin/mailman/subscribe/cabal
Method	POST
Parameter	X-Frame-Options
Instances	54
Solution	

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Reference	

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
CWE Id	16
WASC Id	15
Source ID 3  
            ----------------------Web Browser XSS Protection Not Enabled--------------------
                                 	

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server


URL	http://pidgin.im/cgi-bin/mailman/admin/wikiedit
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/subscribe/cabal
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/listinfo/cabal
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/listinfo/announce
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/admin/announce
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/options/commits
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/roster/devel
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/options/translators
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/admin/translators
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/listinfo/announce
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/listinfo/cabal
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/admin/devel
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/robots.txt
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/options/cabal
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/roster/wikiedit
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/admin/support
Method	GET
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/options/wikiedit
Method	POST
Parameter	X-XSS-Protection
URL	http://pidgin.im/cgi-bin/mailman/roster/support
Method	POST
Parameter	X-XSS-Protection
Instances	62
Solution	

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Other information	

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).
Reference	

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
CWE Id	933
WASC Id	14
Source ID 3

More information about the security mailing list