On August 20th, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. Insufficient protection against 'clickjacking' Summary: ======== LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking. This allows an attacker to trick a targetted user to execute unintended actions. Known vulnerable: ================= All of: - 1.1.0 upto 1.1.12 (including) - 1.2.0 upto 1.2.26 (including) - 1.3.0 upto 1.3.47 (including) - 1.4.0 upto 1.4.42 (including) - 1.5.0 upto 1.5.30 (including) - 1.6.0 upto 1.6.33 (including) - 1.7.0 upto 1.7.32 (including) - 1.8.0 upto 1.8.17 (including) Known fixed: ============ - 1.7.33 - 1.8.18 Details: ======== In a clickjacking attack, an attacker (invisibly) wraps the vulnerable site in his own site, carefully placing elements of his own site over elements of the wrapped site, tricking the user into performing unintended actions on the vulnerable site. More information on clickjacking is on the OWASP page at https://owasp.org/www-community/attacks/Clickjacking The lack of protection dates back to version 1.0, although it must be noted that mitigation measures were first available in browsers as of 2011 -- the year of the release of 1.3.0. Severity: ========= CVSSv3.1 Base Score: 5.9 (Medium) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N Recommendations: ================ We recommend all users to upgrade to known-fixed versions. Versions prior to 1.7 are end-of-life and will not receive security fixes from the LedgerSMB project. Users who cannot upgrade, may apply the included patches or are advised to contact a vendor for custom support. As a workaround, administrators may configure their webservers to add the Content-Security-Policy header as documented in the content security policy site at https://content-security-policy.com/#server. References: =========== CVE-2021-3731 (LedgerSMB) https://ledgersmb.org/cve-2021-3731-clickjacking https://huntr.dev/bounties/5664331d-f5f8-4412-8566-408f8655888a/ Reported by: ============ sudheendra17, user of the huntr.dev platform Patches: ======== Patch for LedgerSMB 1.8 (1.8.0 upto 1.8.17, including): ------------------------------------------------------- [[[ diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm index b0b20a95b..a4785a9f1 100644 --- a/lib/LedgerSMB/PSGI.pm +++ b/lib/LedgerSMB/PSGI.pm @@ -122,6 +122,9 @@ sub old_app { return Plack::Util::response_cb( $handler->($env), sub { + Plack::Util::header_set($_[0]->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); if (not Plack::Util::header_exists($_[0]->[1], 'X-LedgerSMB-App-Content')) { Plack::Util::header_push($_[0]->[1], @@ -179,6 +182,9 @@ sub psgi_app { } }; + Plack::Util::header_set($res->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); return $res; } ]]] Patch for LedgerSMB 1.7 (1.7.0 upto 1.7.32, including): ------------------------------------------------------- [[[ diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm index ec8be07f1..bcb478524 100644 --- a/lib/LedgerSMB/PSGI.pm +++ b/lib/LedgerSMB/PSGI.pm @@ -91,6 +91,9 @@ sub old_app { return Plack::Util::response_cb( $handler->(@_), sub { + Plack::Util::header_set($_[0]->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); if (not Plack::Util::header_exists($_[0]->[1], 'X-LedgerSMB-App-Content')) { Plack::Util::header_push($_[0]->[1], @@ -159,6 +162,9 @@ sub psgi_app { } }; + Plack::Util::header_set($res->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); return $res; } ]]] -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.