Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » PCI xFrame vunerability
  •  
Tod

Messages: 7
Karma: 0
Send a private message to this user
Kerio Connect 8.5.3

While having PCI scanning done recently, our scanning company states we have an xframe / clickjacking vulnerability on the login page of the Kerio Connect.
I was surprised since Kerio had a fix for this in v8.3.0.
We had recently updated from 8.3.x to 8.5.3 to fix some other PCI problems.
I was wondering if this is a false reading from our scanning service, or is there somewhere I can check to verify the setting is set correctly?
I have checked mailserver.cfg for:
<variable name="AppendHeaderXFrameOptions">SAMEORIGIN</variable>

As long as this variable is not supposed to actually contain a real url, this is the default value.

Also, is there any recent documentation from Kerio that states it is not vulnerable to this attack?
  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
Tod wrote on Tue, 15 December 2015 00:17
Kerio Connect 8.5.3

While having PCI scanning done recently, our scanning company states we have an xframe / clickjacking vulnerability on the login page of the Kerio Connect.
I was surprised since Kerio had a fix for this in v8.3.0.
We had recently updated from 8.3.x to 8.5.3 to fix some other PCI problems.
I was wondering if this is a false reading from our scanning service, or is there somewhere I can check to verify the setting is set correctly?
I have checked mailserver.cfg for:
<variable name="AppendHeaderXFrameOptions">SAMEORIGIN</variable>

As long as this variable is not supposed to actually contain a real url, this is the default value.

Also, is there any recent documentation from Kerio that states it is not vulnerable to this attack?


A login page has changed since version 8.3.
Please upgrade to Kerio Connect 9.0.1, which addresses also this issue.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Tod

Messages: 7
Karma: 0
Send a private message to this user
Can you explain further?
I know the login page has added customization options.

I cannot upgrade past 8.5.3 due to the OS requirements for 9.0.

Does the ""AppendHeaderXFrameOptions">SAMEORIGIN</variable>" no longer work?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
This is interesting. I am running 8.5.0 and just searched the .\web\ files for signs of the
<meta http-equiv="X-Frame-Options" content="deny">
header, specifically searched for "X-Frame-Options" and didn't find this.

I would suppose you could hack/edit it in to the files. Not a good move by Kerio to fix this and then lose the fix for a while in updates.

I'm in the same boat of needing to do an OS upgrade before loading v9, as well as waiting for some of the v9 issues to be addressed.
  •  
Tod

Messages: 7
Karma: 0
Send a private message to this user
We had our PCI company run the scans manually, and they told us we were ok.
It responded to the manual scan correctly.

  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
MarkK wrote on Wed, 16 December 2015 18:39
This is interesting. I am running 8.5.0 and just searched the .\web\ files for signs of the
<meta http-equiv="X-Frame-Options" content="deny">
header, specifically searched for "X-Frame-Options" and didn't find this.

I would suppose you could hack/edit it in to the files. Not a good move by Kerio to fix this and then lose the fix for a while in updates.

I'm in the same boat of needing to do an OS upgrade before loading v9, as well as waiting for some of the v9 issues to be addressed.


This HTTP header is added by Kerio Connect server. You can't find it in web files.
In fact, only one particular URL is responding without X-Frame-Options HTTP response header. This is fixed in Kerio Connect 9.0.0.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
Tod wrote on Tue, 15 December 2015 15:46
Can you explain further?
I know the login page has added customization options.

I cannot upgrade past 8.5.3 due to the OS requirements for 9.0.

Does the ""AppendHeaderXFrameOptions">SAMEORIGIN</variable>" no longer work?


It works. Only one particular URL from second login dialog (webmail/login2/) is sent without this header. All other data, including primary login dialog for old Webmail return the header.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Tod

Messages: 7
Karma: 0
Send a private message to this user
Can I remove the login2 items, so I can pass the scan? I don't care if they use the new or old interface.
Previous Topic: Web Client: Filtered attachement hard to recognize
Next Topic: mailing list forwarding - sender's address gets cut off in Outlook
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Jan 23 15:45:51 CET 2017

Total time taken to generate the page: 0.00854 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.