Vulnerable URL pidgin.im
Shivam Khambe
shivamkhambe98 at gmail.com
Fri Feb 1 14:05:57 EST 2019
Hi pidgin.im Support Team
My Name Is SHIVAM KHAMBE From India
I Am Found X-Frame-Options Header Not Set(ClickJacking'
attacks),application error disclosure,
Web Browser XSS Protection Not Enabled
The Vulnerable Domain Is :-
http://pidgin.im
Vulnerable URL Is Details
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20190202/30164fe2/attachment.html>
-------------- next part --------------
----------------------X-Frame-Options Header Not Set-------------------------------
Description
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
URL https://pidgin.im/pipermail/support/2009-May/017245.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2016-January/029242.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2008-September/015633.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2009-November/019463.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2014-July/thread.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2009-June/017770.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2010-February/020291.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2014-November/028265.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2018-June/030274.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2018-January/030150.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2013-October/027313.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2007-November/013589.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2010-March/020577.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2009-September/018824.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2013-March/026463.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2009-April/016991.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2009-December/019547.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2009-June/017839.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2010-January/019937.html
Method GET
Parameter X-Frame-Options
URL https://pidgin.im/pipermail/support/2010-October/022036.html
Method GET
Parameter X-Frame-Options
Instances 17600
Solution
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Reference
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
CWE Id 16
WASC Id 15
Source ID 3
-------------------Application Error Disclosure---------------
Description
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
URL https://pidgin.im/pipermail/support/2014-March/thread.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2009-July/018174.html
Method GET
Evidence internal error
URL https://pidgin.im/pipermail/support/2009-July/017899.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-March/020593.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-March/020604.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-March/020592.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-March/subject.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2014-March/027735.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2014-April/027822.html
Method GET
Evidence internal error
URL https://pidgin.im/pipermail/support/2009-July/018162.html
Method GET
Evidence internal error
URL https://pidgin.im/pipermail/support/2009-July/017900.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-January/author.html
Method GET
Evidence Error Report
URL https://pidgin.im/pipermail/support/2010-January/thread.html
Method GET
Evidence Error Report
URL https://pidgin.im/pipermail/support/2010-January/subject.html
Method GET
Evidence Error Report
URL https://pidgin.im/pipermail/support/2010-January/date.html
Method GET
Evidence Error Report
URL https://pidgin.im/pipermail/support/2010-October/022009.html
Method GET
Evidence internal error
URL https://pidgin.im/pipermail/support/2009-June/017516.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-March/author.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2010-March/thread.html
Method GET
Evidence Internal Server Error
URL https://pidgin.im/pipermail/support/2009-July/017901.html
Method GET
Evidence Internal Server Error
Instances 44
Solution
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
Reference
CWE Id 200
WASC Id 13
Source ID 3
--------------------X-Frame-Options Header Not Set--------------------------
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
URL http://pidgin.im/cgi-bin/mailman/options/cabal
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/robots.txt
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/subscribe/commits
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/options/wikiedit
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/options/support
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/subscribe/support
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/announce
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/about/
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/admin/wikiedit
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/create
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/sitemap.xml
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/support
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/wikiedit
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/support
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/admin
Method GET
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/listinfo/wikiedit
Method POST
Parameter X-Frame-Options
URL http://pidgin.im/cgi-bin/mailman/subscribe/cabal
Method POST
Parameter X-Frame-Options
Instances 54
Solution
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Reference
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
CWE Id 16
WASC Id 15
Source ID 3
----------------------Web Browser XSS Protection Not Enabled--------------------
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
URL http://pidgin.im/cgi-bin/mailman/admin/wikiedit
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/subscribe/cabal
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/listinfo/cabal
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/listinfo/announce
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/admin/announce
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/options/commits
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/roster/devel
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/options/translators
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/admin/translators
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/listinfo/announce
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/listinfo/cabal
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/admin/devel
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/robots.txt
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/options/cabal
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/roster/wikiedit
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/listinfo/translators
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/admin/support
Method GET
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/options/wikiedit
Method POST
Parameter X-XSS-Protection
URL http://pidgin.im/cgi-bin/mailman/roster/support
Method POST
Parameter X-XSS-Protection
Instances 62
Solution
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The following values would disable it:
X-XSS-Protection: 0
The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).
Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).
Reference
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
CWE Id 933
WASC Id 14
Source ID 3
More information about the security
mailing list