no x-frame-options header set which allow clickjacking attack. Fixed.

notrinos · Aug 23, 2022 · c2ff3d8 · c2ff3d8
1 parent e61e76b
commit c2ff3d8
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/access/login.php b/access/login.php
@@ -52,6 +52,9 @@ function defaultCompany() {
 $rtl = isset($_SESSION['language']->dir) ? $_SESSION['language']->dir : 'ltr';
 $onload = !$login_timeout ? "onload='defaultCompany()'" : '';
 
+if (!headers_sent())
+	header("X-Frame-Options: SAMEORIGIN");
+
 echo "<!DOCTYPE html>\n";
 echo "<html dir='".$rtl."' >\n";
 echo "<head profile=\"http://www.w3.org/2005/10/profile\"><title>".$title."</title>\n";

diff --git a/access/password_reset.php b/access/password_reset.php
@@ -32,6 +32,9 @@ function defaultCompany() {
 $rtl = isset($_SESSION['language']->dir) ? $_SESSION['language']->dir : 'ltr';
 $onload = !$login_timeout ? "onload='defaultCompany()'" : '';
 
+if (!headers_sent())
+	header("X-Frame-Options: SAMEORIGIN");
+
 echo "<!DOCTYPE html>\n";
 echo "<html dir='".$rtl."' >\n";
 echo "<head profile=\"http://www.w3.org/2005/10/profile\"><title>".$title."</title>\n";

diff --git a/includes/page/header.inc b/includes/page/header.inc
@@ -41,7 +41,7 @@ function help_url($context=null) {
 		.'&ctxhelp=1&lang='.$country);
 }
 
-function send_css($css = '') {
+function send_css($css='') {
 	global $css_files;
 
 	init_css();
@@ -119,8 +119,10 @@ function page_header($title, $no_menu=false, $is_index=false, $onload='', $js=''
 
 	$encoding = $_SESSION['language']->encoding;
 
-	if (!headers_sent())
+	if (!headers_sent()) {
 		header("Content-type: text/html; charset=$encoding");
+		header("X-Frame-Options: SAMEORIGIN");
+	}
 
 	echo "<!DOCTYPE html>\n";
 	echo "<html dir='" . $_SESSION['language']->dir . "' >\n";
@@ -145,4 +147,4 @@ function page_header($title, $no_menu=false, $is_index=false, $onload='', $js=''
 	$rend = new renderer();
 	$rend->menu_header($title, $no_menu, $is_index);
 	error_box();
-}
+}