Clickjacking issue with jquery-ui

[woodts]

Environment

• Python version: 3.8.5
• NetBox version: 2.10.4

• Steps to Reproduce

  1. Scan an existing Netbox installation with a vulnerability scanner such as Nessus ;
  2. Read Nessus report of clickjacking vulnerability and find that this vulnerability is caused by https://cardboard.atdd.noaa.gov/static/jquery-ui-1.12.1/index.html ;
  3. Remove/rename /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html to /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html.disabled ;
  4. chmod 000 /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html.disabled ;
  5. Rescan with vulnerability scanner ;
  6. Observe that vulnerability scanner no longer detects the vulnerability, as the file that triggers it is no longer accessible to Netbox.

Expected Behavior

Nessus not to find any vulnerabilities.

Observed Behavior

Nessus flagged a clickjacking vulnerability in /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html

[DanSheps]

This issue is pending closure as it does not conform to one of the provided templates as required by the contributing guide. If you'd like to request that your issue be re-opened, please first update the content so that it matches the appropriate template (this may require rewriting your issue entirely).

[woodts]

I wish there were a template that related to this issue, but there is no security template for this project. I will attempt to make something look close in hopes that this issue gets looked at.

[jeremystretch]

The maintainers will not accept anything that does not include detailed steps for reproducing a suspected bug. Your issue above provides no such detail, hence its closure. FYI the mere indication by some analysis tool that the project includes a file containing code that might introduce a vulnerability if used in a certain way does not constitute a bug report. Please do not open another issue unless you can demonstrate a reproducible exploitation of the product in its unmodified form.

[woodts]

I've updated my report to fit the template requirement as best as I can determine. The details that I earlier provided weren't up to step-by-step reproduction; they should be now, provided you have a functioning Nessus vulnerability scanner at your disposal. The vulnerable component, despite its non-use from within Netbox, nonetheless is exposed via the nginx server and is, therefore, a legitimate vulnerability in that the vulnerable component is installed by default alongside the functional bits. The Netbox installation itself introduces this vulnerability onto the server on which it is installed - no modification by the user is required to expose this vulnerability other than the regular installation process. As you will see in my report, the problematic file is identified and a possible fix is included. My limited user testing found no functional impairment from performing the remediation steps I suggest above. My general suggestion would be to remove the index.html file completely instead of neutering it via my suggestion before packaging the app for distribution.

jeremystretch, your statement "the mere indication by some analysis tool that the project includes a file containing code that might introduce a vulnerability if used in a certain way does not constitute a bug report" demonstrates a disregard for and a lack of understanding of cybersecurity. The fact that a default installation of Netbox introduces a clickjacking vulnerability onto every machine on which it is installed is no trivial matter. It may not be a bug, per se, in the Netbox application itself, but it certainly is a problem to be distributing an application that opens a security hole. A small bit of housekeeping in the build environment for Netbox, namely neutering the vulnerable and AFAICT unused demo file from the jquery-ui package, would remedy this. Given there is no other means of reporting this issue to the maintainers than through this bug reporting system that has no explicit means to report security issues, I used the means provided to communicate the issue to those empowered to fix it.

[DanSheps]

What component specifically on the index page results in the clickjacking vulnerability?

Really, your issue should be with jquery, as they are the ones that provide the library.

[woodts]

DanSheps, I am not a jquery developer, so I can't speak to the code involved specifically. As the person responsible for the nginx server, however, the typical mitigations for such a vulnerability involve setting X-FRAME-OPTIONS and/or Content-Security-Policy headers with the appropriate values limiting the scope. Doing so for Netbox itself, within the confines of its own /etc/nginx/sites-enabled/netbox configuration file, doesn't cover the jquery-ui directory that's exposed by the default install. This requires its own set of mitigations, the easiest of which I've found is to just neuter/nuke the index.html as described above. Again, I can't speak to the Netbox code itself, so I didn't want to attempt to do anything specific with any of the other contents of the jquery-ui directory, out of concern that the other bits may be required for the proper functioning of Netbox.

Indeed, jquery and jquery-ui are part of the OpenJS Foundation, but being unaware of the development team structure for the jquery project, I specified the specific component. And I suppose were I industrious enough that I'd spin up a security issue report with them as well. However, again I'm not a developer, but I do use Netbox, and my vulnerability scanner does trigger a medium level alert which according to company policy has to be looked into.

[jeremystretch]

I'm so tired of people insulting me. Locked.