Clickjacking in Red5 Server and global Web.xml is not found

[LakshmiPhani7680]

Issue

Short description

Brief description of what happened We are trying to add headers in red5 media server to avoid clickjacking, but unfortunately the headers aren't getting reflected, please get us a way to avoid the clickjacking vulnerability and how to add headers in red5 media server.

Environment

[] Operating system and version: [] Java version: jdk8 we are using in red5 [] Red5 version: No idea how to find it.

[chushiyun2015]

这是来自QQ邮箱的假期自动回复邮件。   您好，我最近正在休假中，无法亲自回复您的邮件。我将在假期结束后，尽快给您回复。

[mondain]

@LakshmiPhani7680 could you provide more information on the exploit?

[LakshmiPhani7680]

Hi @mondain, Thank you for the response, In general if i want to add request or response headers for the red5 server where i need to add? web.xml file in /webapps/vod/ somewhere in it right? or anywhere else? cause the red5 server which we are using has this clickjacking vulnerability because it doesn't have the desired headers to avoid this vulnerability.

[mondain]

Would you mind linking to an article or incident report that I can review?

On Fri, Jul 26, 2024, 06:17 LakshmiPhani7680 @.***> wrote:

Hi @mondain https://github.com/mondain, Thank you for the response, In general if i want to add request or response headers for the red5 server where i need to add? web.xml file in /webapps/vod/ somewhere in it right? or anywhere else? cause the red5 server which we are using has this clickjacking vulnerability because it doesn't have the desired headers to avoid this vulnerability.

— Reply to this email directly, view it on GitHub https://github.com/Red5/red5-server/issues/353#issuecomment-2252747736, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD4UXICH2VOHLDRRNYQHADZOJEAHAVCNFSM6AAAAABK35A4JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJSG42DONZTGY . You are receiving this because you were mentioned.Message ID: @.***>

[LakshmiPhani7680]

Hi @mondain, Yeah sure, will send on monday. But can you please tell me in general how to add request/response headers like X-Frame-Options for Red5 media server? Thank you

[mondain]

The default JEE container used in Red5 is Tomcat; so you'll want to look at that specifically. If I wanted to inject headers from the server side, I'd add a context listener or servlet filter.

[LakshmiPhani7680]

Hi @mondain , Thank you for the response, So without tomcat red5 won't work? or only the headers related?

[mondain]

The global web.xml for Tomcat is not used in Red5; each app has its own web.xml, so if you cannot sort it out there, you'll have to add a context listener or servlet filter.

[LakshmiPhani7680]

I have added some tags in web.xml but not getting reflected, so placed proxy in front of red5, but just need to know like how to add for Red5 itself without using any other proxy servers.