PowerChute Network Shutdown - Web Application Potentially Vulnerable to Clickjacking

Anonymous user · ‎2021-06-29

I need to remediate a vulnerability that a turned up in a recent Nessus Scan - "Web Application Potentially Vulnerable to Clickjacking". In looking thorough the reference articles, I don't see a way to address this through IE for the PowerChute application. The scanner references the logon page for the PowerChute Network Shutdown application.

Description
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.

X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors.

Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The 'frame-ancestors' policy directive restricts which sources can embed the protected resource.

Note that while the X-Frame-Options and Content-Security-Policy response headers are not the only mitigations for clickjacking, they are currently the most reliable methods that can be detected through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions.

Solution
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.
This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.

BillP · ‎2021-06-29

Hi,

You are running an old version of the application. The issue has been addressed in PCNS 4.1 for the login page. It will still exist for the about page (static html) and that will be address in a future release.

See Answer In Context

BillP · ‎2021-06-29

Hi,

What version of PCNS are you running and what version of IE?

Anonymous user · ‎2021-06-29

IE 11

PCNS is 3.0.1

BillP · ‎2021-06-29

Hi,

You are running an old version of the application. The issue has been addressed in PCNS 4.1 for the login page. It will still exist for the about page (static html) and that will be address in a future release.

d.brooks · ‎2024-04-15

Hi, I am running the latest version 5.0.0_release_ww and this issue is still being found by Nessus on the logon page; port 6547.

Can you provide any information as to when this will be addressed in all versions and all pages?