Rukovoditel 2.7.2 Clickjacking Vulnerability

[TuongNC]

1. Description:
----------------------
Rukovoditel 2.7.2 Clickjacking Vulnerability

2. To Reproduce:
----------------------
- Login with user account into the panel.
- Go to "Projects", click to you "Projects"
- Select "Add Ticket", choose "iFrame" and add malicious URI. Then click save..
- Send that link to the admin, if the admin appears at that address, Script to trigger.

3. Screenshots:
----------------------
3.1. https://i.imgur.com/ql8t7Pi.png
3.2. https://i.imgur.com/Qd323EA.png
3.3. https://i.imgur.com/ESyeGNm.png
3.4. https://i.imgur.com/myZG6Ff.png
------
And now Client view this Tickets
3.5. https://i.imgur.com/YyuHhbf.png
And admin view this Tickets, Script is running.
3.6. https://i.imgur.com/XPGtlrf.png

4. Impact
Attacker may tricked admin, sending them malicious link then admin open it clicked to link and runing Script.

5. Desktop (please complete the following information):
- OS: Windows
- Browser: Google Chrome
- Version: 87.0.4280.88

Let me know if you need more information.

[support]

Well, the target of iFrame filed type is to show content from extra url.
Of course it's not safe and this is something not for clients or public forms. Managers can put link to map or video camera url. So access for this field type must be restricted to trusted users only.
In app you can configure access to each field in access configuration.

[swar]

@support Is there a way to allows users to use WYSIWYG textarea and at the same disable iframe?

[support]

You can remove iframe here template\plugins\ckeditor\ckeditor.js
Also you can use short view for texteditor field