Clickjacking protection in MantisBT 1.2.1

Mantis Bug Tracker 1.2.1 includes initial support for X-Frame-Options and X-Content-Security-Policy. These two browser security features aim to protect users against clickjacking attacks. If you’re unfamiliar with clickjacking, this presentation by Paul Stone at Black Hat EU 2010 provides an introduction to the topic. Essentially these options prevent a MantisBT site from being embedded within an IFrame on another website.

X-Frame-Options is supported in the latest versions of Internet Explorer, Opera, Safari and Chrome. If you’re using Firefox, you’ll need to install the NoScript extension to gain support for X-Frame-Options. However, Firefox 3.7 (currently under development) will support a more advanced security system called Content Security Policy (CSP). Where X-Frame-Options lets you toggle framing between on and off states, CSP lets you define rules for which domains are allowed to frame your MantisBT installation. CSP goes beyond providing just clickjacking protection and will also block data (images, scripts, etc) that is hosted on a different domain. Again, rules can be configured to allow data to be loaded from external domains if necessary. This feature is useful as an added layer of security against cross site scripting (XSS) attacks as an attacker can no longer load scripts or data from malicious websites.

At the moment there is no configuration options within MantisBT to disable this new clickjacking protection. If you know what you’re doing and understand the clickjacking threat to your MantisBT installation you can disable or reconfigure the clickjacking protection within core/http_api.php. If you want to insert your MantisBT installation within an IFrame from a page on the same domain (for instance, bugs.yourname.com contains an IFrame which loads bugs.yourname.com/mantisbt/) then you will need to change the http_security_headers() function as follows:

Find:

header( 'X-Frame-Options: DENY' );

Replace:

header( 'X-Frame-Options: SAMEORIGIN' );

Find:

header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );

Replace:

header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'self'" );

If you’re wanting to load your MantisBT installation in an IFrame from a different domain then you’ll need to comment out (place two forward slashes in front of) this line:

header( 'X-Frame-Options: DENY' );

You’ll then also need to make the following change where somewhere.yourdomain.com is the domain containing the page which loads MantisBT within an IFrame:

header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors somewhere.yourdomain.com " );

As mentioned earlier, CSP also restricts the domains from which you can load external content from (images, scripts, etc). If you’ve written any custom plugins for MantisBT that load data in the browser from different domains (and if your users are using Firefox 3.7 beta) then you’ll need to read the CSP specifications and add the required headers within the http_security_headers() function within http_api.php.

The addition of these clickjacking prevention measures to MantisBT 1.2.1 helps keep your MantisBT installation secure against the “latest” (clickjacking has been around for years already) web application attacks. We hope to enhance this protection in future versions of MantisBT as these experimental browser clickjacking specifications are further developed. MantisBT 1.2.0 includes robust cross site request forgery (CSRF) protection and many improvements to preventing cross site scripting (XSS) attacks (including cookie protection with the HttpOnly flag). If you’re still using MantisBT 1.1.8 or an earlier version you are strongly encouraged to upgrade to MantisBT 1.2.1 to ensure that your bug tracker(s) are properly secured.

11 thoughts on “Clickjacking protection in MantisBT 1.2.1”

  1. Great change and I am glad that you posted a workaround for us using Mantis partially inside a frame ;). However having configurations options for this would a be a real highlight 😉

    Thank you for a great product!

  2. Regarding security systems, specifically for businesses, I need to agree with you entirely. You’ll find so many options in the marketplace, it’s critical for a expert to know what is greatestfor their situation and particular complex. The insights you are supplying are a excellent help to companies and as well as security experts alike. Many thanks once more!

  3. I heard that the most common use of MantisBT is to track software defects. However, MantisBT is often configured by users to serve as a more generic issue tracking system and project management tool,then it is very useful in our business.

  4. I tried to follow the instructions and now I can include Mantis in IFrame, but I still have problems in Firefox, since it returns a security error:
    (Bloccato dai criteri sulla sicurezza dei contenuti -> Blocked by criteria on content security).

    I tried to add other items to the function http_security_headers (), but I do not get change:
    header (“X-Content-Security-Policy: allow ‘self’ ‘http://www.genum.it’; frame-src ‘http://www.genum.it’; options inline-eval-script $ script t_avatar_img_allow; frame-ancestors ‘http://www.genum.it’ “);

    On Chrome and IE8 work perfectly .. what is wrong?

  5. I have updated my version of firefox to the latest 4.0 i think, this seems to work. Have a test and try it out

  6. […]header( “X-Content-Security-Policy: allow ‘self’; options inline-script eval-script$t_avatar_img_allow; frame-ancestors ‘self'” );[…] this really helped me out! thanks a bunch!

Comments are closed.