Project

General

Profile

Actions
Copy link

Bug #14648

closed

Nessus reports Clickjacking vulnerability

Added by Brian Shaw almost 9 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Katello Recycle Bin
Difficulty:
medium
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When scanning our environment with Nessus, the report came back that our Katello servers are vulnerable to Clickjacking on the URLs listed below:

http://<capsule server>/pub/
https://<capsule server>/pub/
https://<capsule server>/
https://<capsule server>:8443/pub/

Is it possible to add a X-Frame-Options response header in all content responses? If so, where should this be done at?

Thanks for any help you can give with this.

Brian

Actions
Copy link
 #1

Updated by Dominic Cleal almost 9 years ago

  • Project changed from Foreman to Katello
  • Category deleted (Web Interface)
Actions
Copy link
 #2

Updated by Justin Sherrill over 8 years ago

  • Tracker changed from Support to Bug
  • Category set to Installer
  • Status changed from New to Need more information
  • Difficulty set to medium

Likely you'd just add

Header always append X-Frame-Options SAMEORIGIN

to /etc/httpd/conf.d/05-foreman-ssl.conf

and bounce apache. We should add this to the installer. Does this make Nessus happy?

Actions
Copy link
 #3

Updated by Justin Sherrill over 8 years ago

  • Translation missing: en.field_release set to 166
Actions
Copy link
 #4

Updated by Justin Sherrill over 8 years ago

  • Status changed from Need more information to Rejected
Actions
Copy link

Also available in: Atom PDF