Known Issue: FME Flow Apache Tomcat Vulnerability with X-Frame-Options header

Liz Sanderson
Liz Sanderson

Files

Known Issue ID FMESERVER-10761
Feature Apache Tomcat
Product FME Flow (formerly FME Server)
Versions Affected

2025.0

2024.x

2023.x

2022.x

2021.x

2020.x

2019.x

2018.x

Status

Unresolved

Issue

A security scan has reported that FME Flow (formerly FME Server) does not utilize the X-Frame Options header, meaning an attacker can exploit vulnerabilities such as clickjacking.

 

Cause

Clickjacking is a technique used by malicious websites to trick a user into divulging confidential information by embedding the target website in an iframe. Check out OWASP to learn more about Clickjacking.

By default, FME Flow does not prevent clickjacking as this may disrupt legitimate uses of the web interface. 
 

Workaround

To harden FME Flow against this vulnerability, you can enable the HTTP Header Security filter. This filter is built into FME Flow's Web Application Server (Tomcat) and, when enabled, instructs the user's browser to only allow pages of the same origin to be embedded or reject all embedding.

  1. Download the attached tester.jsp file and place it in <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT
  2. Open a web browser and navigate to http(s)://<FMEServerHost>/tester.jsp and you should now see your FME Flow login page embedded within a test page. 
  3. Run a text editor as an administrator and open web.xml, located in <FMEServerInstallDir>\Utilities\tomcat\conf
  4. Search for <filter-name>httpHeaderSecurity</filter-name>. Two occurrences of this filter will be found; a filter and a filter-mapping element. Uncomment each of these by removing the <-- and --> symbols that are wrapped around the elements.
  5. Add in the following antiClickJackingOption parameter with the value SAMEORIGIN underneath both the closing </filter> and </filter-mapping> tags.  
      <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>

      6. Once complete this should look like:

Screen Shot 2021-07-08 at 3.17.32 PM.png

---

Screen Shot 2021-07-08 at 3.17.58 PM.png
 

       7. Save the file and restart the FME Web Application Server Service to apply the changes.
       8. In the browser return to http(s)://<FMEServerHost>/tester.jsp and login, this time you'll see a refused to connect error.

 

       9. Go to <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT and delete the tester.jsp

Note: Once enabled the httpHeaderSecurity filter will use the default values for all the associated parameters to reject all embedding. These values are listed in the web.xml and if you are wanting other behaviour(e.g. all from same origin) these should be set in the XML accordingly. For more information on these parameters please see the Apache Tomcat Documentation on Container Provided Filters

Was this article helpful?

Comments

1 comment

Please sign in to leave a comment.