Files
-
- 293 Bytes
- Download
Known Issue ID | FMESERVER-10761 |
---|---|
Feature | Apache Tomcat |
Product | FME Flow (formerly FME Server) |
Versions Affected |
2025.0 2024.x 2023.x 2022.x 2021.x 2020.x 2019.x 2018.x |
Status |
Unresolved |
Issue
A security scan has reported that FME Flow (formerly FME Server) does not utilize the X-Frame Options header, meaning an attacker can exploit vulnerabilities such as clickjacking.
Cause
Clickjacking is a technique used by malicious websites to trick a user into divulging confidential information by embedding the target website in an iframe. Check out OWASP to learn more about Clickjacking.
By default, FME Flow does not prevent clickjacking as this may disrupt legitimate uses of the web interface.
Workaround
To harden FME Flow against this vulnerability, you can enable the HTTP Header Security filter. This filter is built into FME Flow's Web Application Server (Tomcat) and, when enabled, instructs the user's browser to only allow pages of the same origin to be embedded or reject all embedding.
- Download the attached tester.jsp file and place it in <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT
- Open a web browser and navigate to http(s)://<FMEServerHost>/tester.jsp and you should now see your FME Flow login page embedded within a test page.
- Run a text editor as an administrator and open web.xml, located in <FMEServerInstallDir>\Utilities\tomcat\conf
- Search for <filter-name>httpHeaderSecurity</filter-name>. Two occurrences of this filter will be found; a filter and a filter-mapping element. Uncomment each of these by removing the <-- and --> symbols that are wrapped around the elements.
- Add in the following antiClickJackingOption parameter with the value SAMEORIGIN underneath both the closing </filter> and </filter-mapping> tags.
<init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param>
6. Once complete this should look like:
---
7. Save the file and restart the FME Web Application Server Service to apply the changes.
8. In the browser return to http(s)://<FMEServerHost>/tester.jsp and login, this time you'll see a refused to connect error.
9. Go to <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT and delete the tester.jsp
Note: Once enabled the httpHeaderSecurity filter will use the default values for all the associated parameters to reject all embedding. These values are listed in the web.xml and if you are wanting other behaviour(e.g. all from same origin) these should be set in the XML accordingly. For more information on these parameters please see the Apache Tomcat Documentation on Container Provided Filters.
Comments
1 comment
Configuring X-Frame-Options with antiClickJackingOption=SAMEORIGIN (or custom origin) is not only a security issue but a necessity when activating Strict Transport Headers (HSTS) as described here Enabling HTTP Response Headers to Secure the FME Server Web Application Server – FME Support Center. Setting strict transport header implicitly activates antiClickJacking with antiClickJackingOption=DENY which breaks FME Flow Dashboards (Job History) since these dashboards are embeded as frames.
Please sign in to leave a comment.