security

[Steve Howes]

Recent tests on our locally installed web applications has reported back that:

"Web Application Potentially Vulnerable to Clickjacking" for the 2.4 version of AtoM we have installed.

Has anyone come across this? Would it be 'fixed' in a later version?

Thanks

[Dan Gillean]

Hi Steve, 

There have been a number of security patches since the 2.4 version - most notably in releases 2.5.2, 2.5.3, 2.6.2, and 2.6.3. 

I do not know off-hand if this particular issue has been reported and patched. I wonder if you might be willing to send any of the test details to secu...@artefactual.com (as per the security reporting policy we have in our code repository here) so that we can follow up internally, reproduce the issue, and devise a fix for a future release if one is not already in place?

Thanks in advance! 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/6871fbf5-e822-4109-bad0-b0afe9ae93e7n%40googlegroups.com.

[Steve Howes]

Thanks Dan, I'll see if I can get more detail, the version of the report I see is lacking but hopefully someone here can give me more, and if so, I'll send them.

[Jim Adamson]

Hi Steve,

From the wording of the reported vulnerability —  Web Application Potentially Vulnerable to Clickjacking — I'd hazard a guess your scanning tool is Nessus. We use Nessus but it didn't report Vulnerable to Clickjacking against our AtoM 2.6.4 VMs. However, this is likely because some years ago I made customisations to the Nginx configuration specifically to prevent clickjacking, rather than because we're on the latest AtoM release.

I think what you need to do is add the following to your Nginx configuration, inside the main server { } block:

  add_header X-Frame-Options DENY;

  add_header Content-Security-Policy "frame-ancestors 'none'";

This assumes you don't need to allow other sites to frame/iframe your AtoM site. We do, so we have a slightly different configuration. I believe you need both lines because of varying levels of browser support for the two headers. You'll need to run systemctl reload nginx for the configuration change to take effect. Then run another scan and see if the vulnerability is still reported. You'll also want to test the site to make sure the change hasn't had any unintended consequences.

See also this web page as a reference to how to protect against clickjacking. 

In our case Nessus did pick up on other things, but my conclusion was that they were all false positives. I'm happy to share details off-list (and/or via the security email address, Dan) if this would be helpful.

Thanks, Jim

[Dan Gillean]

Hi Jim, 

Thanks so much for sharing this information - it's good to hear that there is an easy solution available that doesn't require application development. I will talk to our team about potentially including something about this in the default Nginx configuration block in our documentation (with a warning about the iframe issue for users who might need to make further customizations), or at least in the Security page of the Administrator's manual. 

We do have an unrelated security enhancement that will be included in the 2.7 release. However, even if you think they might be false positives, I would be curious to hear about any results your scans have found so our team can review them and determine if there are actions we can take to improve AtoM's overall security. Please feel free to use the security email address! 

Thanks again, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/00820458-90e6-48b9-bbf7-6e274e3258a2n%40googlegroups.com.

[Steve Howes]

Thank Jim, I am not sure who were contracted to do our pen testing, but we do use Nessus. I have made the change you suggested after getting confirmation that we aren't embedding our site elsewhere. We will see how the follow up pen testing goes.