Univention Bugzilla – Bug 39733
UMC should set X-Frame-Options HTTP response header
Last modified: 2021-06-23 07:29:10 CEST
UMC should set the X-Frame-Options HTTP response header (https://tools.ietf.org/html/rfc7034) to make sure it is not loaded in a Iframe (e.g. Bug #39731). In general this should be ok: X-Frame-Options: DENY For login.html and blank.html (and maybe some iframe-IE-upload things) we need to set: X-Frame-Options: SAMEORIGIN
Could that also prevent an attack via images tags, e.g.: <img src="http://ucs.example.com/univention-management-console/command/lib/server/shutdown"> See also: https://en.wikipedia.org/wiki/Cross-site_request_forgery
No but this can be achieved with the "Content-Security-Policy" header field. e.g.: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self'; frame-src 'self'; font-src 'none'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; report-uri /csp-violation;
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
The apache configuration now contains some security related HTTP response headers which prevents click jacking, cross site scripting, loading UMC in a <iframe>. The restrictions can be overwritten directly in the UMC module (if necessary; shouldn't be the case). The values for the Content-Security-Policy (https://www.w3.org/TR/CSP2/) header can be overwritten via UCR: umc/http/content-security-policy/default-src umc/http/content-security-policy/script-src umc/http/content-security-policy/object-src umc/http/content-security-policy/style-src umc/http/content-security-policy/img-src umc/http/content-security-policy/media-src umc/http/content-security-policy/frame-src umc/http/content-security-policy/child-src umc/http/content-security-policy/font-src umc/http/content-security-policy/connect-src umc/http/content-security-policy/form-action umc/http/content-security-policy/frame-ancestors I guess the defaults are okay. scripts-src contains piwik.univention.de as well as youtube (for the appcenter). univention-management-console-frontend (6.0.1-1): r71763 | Bug #39733: set security relevant HTTP headers (In reply to Alexander Kläser from comment #1) > Could that also prevent an attack via images tags, e.g.: This is not goal of this bug but Bug #39731 is. This bug is to prevent Clickjacking attacks and Cross-Site-Scripting. TODO: Changelog entry TODO: UCR variable descriptions
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project https://www.w3.org/TR/CSP2/ https://content-security-policy.com/ http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
r75871 | Changelog Bug #39733 Bug #39731 univention-management-console (9.0.15-1): r75870 | Bug #39733: Add UCR variable description
I added a test case which checks if these header are set: r76148 | Bug #43348: Add basic apache/UMC tests
I added "data:" URI's to the img-src Content-Security-Policy as we display a preview of the uploaded user image. As /univention/saml/ is loaded in a iframe It has to be allowed as well. univention-management-console (9.0.21-1): r76323 | Bug #39733: Allow data: img-src URI's in CSP; Allow /univention/saml to be loaded in iframe
What I tested: ucr set umc/http/content-security-policy/style-src=none systemctl restart apache2 -> NO css files are delivered -> OK ucr set umc/http/content-security-policy/style-src="'self' 'unsafe-inline'" systemctl restart apache2 -> css files are delivered -> OK User images work -> OK Changelog -> OK Looks good to me -> Verified
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".