Last modified: 2012-04-12 13:54:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T28561, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 26561 - Clickjacking vulnerabilities
Clickjacking vulnerabilities
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.16.x
All All
: Normal major (vote)
: ---
Assigned To: Tim Starling
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-04 06:09 UTC by Tim Starling
Modified: 2012-04-12 13:54 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Tim Starling 2011-01-04 06:09:48 UTC
Clickjacking is a type of vulnerability discovered in 2008, which is similar to CSRF. 

The attack involves displaying the target webpage in a iframe embedded in a malicious website. Using CSS, the submit button of the form on the target webpage is made invisible, and then overlaid with some button or link on the malicious website that encourages the user to click on it. For more information, see:

  http://en.wikipedia.org/wiki/Clickjacking
  http://www.owasp.org/index.php/Clickjacking

Web browsers have standardised on a defence called X-Frame-Options, which puts the onus on the web application to prevent framing of sensitive content. 

Wikipedia user PleaseStand brought it to our attention that despite the passage of more than two years, MediaWiki still had no defence against clickjacking. PleaseStand pointed out that when user or site JavaScript or CSS is enabled ($wgAllowUserJs, $wgAllowUserCss, $wgUseSiteJs or $wgUseSiteCss), clickjacking is essentially equivalent to cross-site scripting (XSS), that is to say, it allows full compromise of the account of the user visiting the malicious website.

A fix will be shortly released, in MediaWiki 1.16.1. Our approach is to allow framing of basic page views and search pages, but to deny framing of special pages unless they have explicitly opted out of clickjacking protection. By taking this moderate approach, instead of denying all framing, we hope to avoid having system administrators disable the security feature by patching it out.

Security-conscious system administrators may wish to disable framing entirely using $wgBreakFrames = true. In MediaWiki 1.16.1 or later, this will provide protection against clickjacking vulnerabilities in extensions which opt out incorrectly or embed sensitive forms on pages which are opted out. 

Alternatively, you can configure your web server to send an X-Frame-Options header on all pages. For example with Apache mod_headers:

   Header always set X-Frame-Options DENY

For MediaWiki 1.15.x or earlier branches, we will provide a simplified security patch which denies all framing. 

Extensions which wish to allow framing on a given page should do so by calling $wgOut->allowClickjacking(). This should only be done on pages which do not contain CSRF-protected forms or links. Any extension which embeds a CSRF-protected form in an unprotected article view page should call $wgOut->preventClickjacking(), after Article::view() has called $wgOut->allowClickjacking(), to reset the flag. 

To be protected against clickjacking, all users need to use a browser which supports the X-Frame-Options header. Our patch does include standard frame-breaking JavaScript code, but this is known to be insufficient for most browsers. See the OWASP article for more details. For information on supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>
Comment 1 Tim Starling 2011-01-04 07:10:36 UTC
Fixed in trunk in r79561.

Release announcement:
<http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-January/000093.html>

Simplified patch for 1.15.x:
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links