Adobe Connect Addresses clickjacking Concerns
Problem Statement: Nessus scan indicates that the Connect application is susceptible to clickjacking
Environment: Adobe Connect on-premise accounts only
Goal to be achieved:-
- Enable account-specific X-Frame options to address clickjacking.
- Connect has a configuration parameter, ENABLE_X_FRAME_OPTIONS, which if enabled will enforce cross frame scripting protection; the defaults setting is false/disabled.
- There will be two related, but different system-wide parameters: ENABLE_X_FRAME_OPTIONS to allow this, and FORCE_X_FRAME_OPTIONS to force it for everyone.
- The default value for the (currently existing) parameter ENABLE_X_FRAME_OPTIONS, will be changed from false to true. Changing this to false will disable X-Frame options system-wide, overriding any account-specific setting.
- The default value for the new parameter, FORCE_X_FRAME_OPTIONS, will be false. This exists so that we can force X-Frames options for all accounts. But given that there are accounts which seem to require the X-Frame options to be disabled, this might remain an optional parameter for some accounts.
- A new feature (ID=177, FEATURE_X_FRAME_OPTIONS_FOR_ACCOUNT) will be added to track this option on a per-account basis.
- This feature will be exposed in the Administration screen, under “More Settings” as the option “Configure X-Frame Options,” and will be unchecked/disabled by default. In other words, the per-account default will match what was previously the system-wide default. This will need to be enabled on an account-by-account basis. See Figure 1 below.
- Obviously, this will only be editable if FORCE_X_FRAME_OPTIONS is false
- If this option is checked, if X-Frames options are enabled, then the Allow From drop-down box will be enabled. It offers two options: SAMEORIGIN (default), or ALLOW-FROM (Figure 2 below)
- If ALLOW-FROM is selected, then the Allow From URI input box is enabled for editing (Figure 3 below). It will be required if enabled, and there will be validation of this text.