Issues » Possible Clickjacking / no frame busting code in dotCMS admin

Issue: SI-12
Date: Jun 8, 2013, 8:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 3
Credit: Internal Security Team
Description:

It is possible to "clickjack" the dotCMS admin console, which works in a frameset. We need to add the "X-Frame-Options: Deny" / "X-Frame-Options: Sameorigin" header to all requests (both CMS admin and end-user requests). 

- For older browsers which do not support the X-Frame-Options header, all CMS admin pages should have the "frame busting" JavaScript applied, for example:

<head>
<style> body { display : none;} </style>
</head>
<body>
<script>
if (self == top) {
var theBody = document.getElementsByTagName(’body’)[0];
theBody.style.display = "block";
} else {
top.location = self.location;
}
</script>


OWASP Guide to Clickjacking:
https://www.owasp.org/index.php/Clickjacking

Mitigation:

If you would like to include frame busting code, use a static plugin, override the /html/common/top_inc.jsp and include the appropriate response headers, like this:

response.setHeader("X-Frame-Options", "Deny");
response.setHeader("X-Frame-Options","Sameorigin");

References
  • https://github.com/dotCMS/dotCMS/issues/3053