View Issue Details

IDProjectCategoryView StatusLast Update
0011824mantisbtsecuritypublic2013-04-07 11:01
Reporterdhx Assigned Todhx  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.1Fixed in Version1.2.1 
Summary0011824: Implement X-Frame-Options clickjacking protection
Description

References on what X-Frame-Options is:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
http://blogs.msdn.com/ieinternals/archive/2010/03/30/Combating-ClickJacking-with-X-Frame-Options.aspx

Essentially by sending X-Frame-Options: DENY as a HTTP header we prevent MantisBT from being loaded inside an iframe. This prevents MantisBT from being the target of clickjacking attacks (which bypass CSRF protection).

There could be some limited use cases for framing MantisBT (Google Image results) however we have single-click action buttons on view.php that could be the target of clickjacking attacks. Some browsers do give the user the option to open the frame in a new window anyway (and Google Images has a button to load the site outside of a frame).

TagsNo tags attached.

Relationships

related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
related to 0012165 acknowledged Allow mantis to be loaded in an iframe 
related to 0013542 closedrombert in MantisGraph, function "Show as Table" try to open an iframe and fail 
related to 0015724 closedatrol Allow administrators to customize X-Frame-Options header 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x 3cd065de

2010-04-22 08:02:20

dhx

Details Diff
Issue 0011824: Implement X-Frame-Options clickjacking protection

The X-Frame-Options header can help prevent clickjacking attacks against
MantisBT installations by preventing MantisBT from being loaded inside
an iframe.

Currently the following browsers support X-Frame-Options:
* IE8+
* Opera 10.50+
* Safari 4+
* Chrome 4.1.249.1042+
* Firefox with NoScript
Affected Issues
0011824
mod - core/http_api.php Diff File

MantisBT: master d9db796f

2010-04-22 08:02:20

dhx

Details Diff
Issue 0011824: Implement X-Frame-Options clickjacking protection

The X-Frame-Options header can help prevent clickjacking attacks against
MantisBT installations by preventing MantisBT from being loaded inside
an iframe.

Currently the following browsers support X-Frame-Options:
* IE8+
* Opera 10.50+
* Safari 4+
* Chrome 4.1.249.1042+
* Firefox with NoScript
Affected Issues
0011824
mod - core/http_api.php Diff File

Issue History

Date Modified Username Field Change
2010-04-22 03:48 dhx New Issue
2010-04-22 03:48 dhx Status new => assigned
2010-04-22 03:48 dhx Assigned To => dhx
2010-04-22 04:05 dhx Changeset attached => MantisBT master-1.2.x 3cd065de
2010-04-22 04:05 dhx Changeset attached => MantisBT master d9db796f
2010-04-22 04:25 dhx Status assigned => resolved
2010-04-22 04:25 dhx Fixed in Version => 1.2.1
2010-04-22 04:25 dhx Resolution open => fixed
2010-04-22 04:37 dhx Relationship added related to 0011825
2010-04-23 14:30 jreese Status resolved => closed
2010-07-13 17:58 dhx Relationship added related to 0012165
2011-11-18 02:58 dhx Relationship added related to 0013542
2013-04-07 11:01 rombert Relationship added related to 0015724