Add clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing...

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14118 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/doc/ChangeLog b/doc/ChangeLog
index f63b2c3c1caf01134e86138bd0274f18d0e9a9e1..a9c1710d01c6d729239e2cf34f5d7f74b71ed91a 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -360,6 +360,8 @@ Version 1.5.2 - SVN
   - Allow administrators to configure subfolders of user INBOXes to be
     treated as special folders by adding $subfolders_of_inbox_are_special
     to config_local.php.
+  - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen
+    for bringing this to our attention). [CVE-2010-4554]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------

diff --git a/functions/page_header.php b/functions/page_header.php
index 42adba64508060320e2a5e27767a11f6438753d1..7c09c6f745de5478f8d92ee50c87a48466b36a48 100644 (file)
--- a/functions/page_header.php
+++ b/functions/page_header.php
@@ -56,11 +56,29 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE
     //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
     $oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
 
+    // prevent clickjack attempts
+// FIXME: should we use DENY instead?  We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
+    $oTemplate->header('X-Frame-Options: SAMEORIGIN');
+
+    // prevent clickjack attempts using JavaScript for browsers that
+    // don't support the X-Frame-Options header...
+    // we check to see if we are *not* the top page, and if not, check
+    // whether or not the top page is in the same domain as we are...
+    // if not, log out immediately -- this is an attempt to do the same
+    // thing that the X-Frame-Options does using JavaScript (never a good
+    // idea to rely on JavaScript-based solutions, though)
+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
+    $header_tags = '<script type="text/javascript" language="JavaScript">'
+       . "\n<!--\n"
+       . 'if (self != top) { try { if (document.domain != top.document.domain) {'
+       . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
+       . sqm_baseuri() . 'src/signout.php"; top.location = "'
+       . sqm_baseuri() . 'src/signout.php" } }'
+       . "\n// -->\n</script>\n";
+
     $oTemplate->assign('frames', $frames);
     $oTemplate->assign('lang', $squirrelmail_language);
 
-    $header_tags = '';
-
     $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n";
 
     $used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset);