Vulnerability found with Wordpress and WooCommerce! You might wan't to apply this patch!

Discuss Tutorials
,
1

Summary:

X-Frame-Options ALLOW-FROM https://wordpresssite/my-account/ supported by several browsers,

Steps To Reproduce:

  1. Create a new HTML file.
  2. Put <iframe src="https://wordpresssite/my-account/"0"></iframe> in the file.
  3. Save the file.
  4. Open document in browser.

Impact:

Attacker may trick user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated

Solution:

To fix the vulnerability by adding “frame-ancestors ‘self’;” to the CSP (Content-Security-Policy) header with Nginx, you can add the following line inside your Nginx server block:

add_header Content-Security-Policy "frame-ancestors 'self';";

This will set the frame-ancestors directive of the Content-Security-Policy header to 'self', which means that only your own domain is allowed to embed your page using <frame>, <iframe>, <object>, <embed>, or <applet>

FIX:

Content-Security-Policy: frame-ancestors ‘self’ is better, because it checks all frame ancestors. You should implement a CSP header to avoid these sorts of attacks.

You’re welcome!

FRENCH

Résumé:

X-Frame-Options ALLOW-FROM https://wordpresssite/my-account/ pris en charge par plusieurs navigateurs.

Étapes pour reproduire:

  1. Créez un nouveau fichier HTML.
  2. Ajoutez <iframe src="https://wordpresssite/my-account/"0"></iframe> dans le fichier.
  3. Enregistrez le fichier.
  4. Ouvrez le document dans un navigateur.

Impact:

Un attaquant peut tromper l’utilisateur en lui envoyant un lien malveillant. L’utilisateur l’ouvre, clique sur une image et son compte est inconsciemment désactivé.

Solution:

Pour corriger la vulnérabilité en ajoutant “frame-ancestors ‘self’;” à l’en-tête CSP (Content-Security-Policy) avec Nginx, vous pouvez ajouter la ligne suivante dans votre bloc de serveur Nginx:

add_header Content-Security-Policy "frame-ancestors 'self';";

Cela définira la directive frame-ancestors de l’en-tête Content-Security-Policy sur 'self', ce qui signifie que seul votre propre domaine est autorisé à intégrer votre page à l’aide de <frame>, <iframe>, <object>, <embed> ou <applet>.

Correction:

Content-Security-Policy: frame-ancestors ‘self’ est mieux, car il vérifie tous les ancêtres de frame. Vous devriez mettre en place un en-tête CSP pour éviter ce genre d’attaques.

De rien!

2

Is this vulnerability introduced by WooCommerce, or is applicable to Wordpress alone too?

By the way, YunoHost’s /etc/nginx/conf.d/security.conf.inc already includes more_set_headers "X-Frame-Options : SAMEORIGIN";, which seems to have the same effect as CSP “frame-ancestors”.

3

Might be both, haven’t tested that out yet. But in this case, people might be rather safe than sorry!

Can be, but I still was able to reproduce this issue with the steps I’ve provided;

4

The actual answer is important because we can’t just be attempting to fix every security issue that any random Wordpress plugin could introduce …