Clickjacking Vulnerability in Feehi CMS

[tanish-mahajan]

I have found the vulnerability in Feehi CMS called Clickjacking.

POC

<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>I Frame</title>
</head>
<body>
<h3>clickjacking vulnerability</h3>
<iframe src="https://demo.cms.feehi.com/index.php?r=site%2Flogin" height="550px" width="700px"></iframe>
</body>
</html>

• Save Above text in html file and open.
• Notice that site is visible in the Iframe

POC Link - https://drive.google.com/file/d/1TiBY4Ju6cdxbe-a227kA3_ror19HUB9g/view?usp=sharing

IMPACT

The hacker has several ways they can use the redirected clicks for their own gain. A common form of clickjacking involves mirroring a login and password form on a website. The user assumes that they're entering their information into a usual form but they're actually entering it in fields the hacker has overlaid on the UI. Hackers will target passwords, credit card numbers and any other valuable data they can exploit.

Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.