starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Clickjacking issue with jquery-ui #4577

New Issue
Closed
opened 2025-12-29 18:37:52 +01:00 by adam · 7 comments
adam commented 2025-12-29 18:37:52 +01:00
Owner
Copy Link

Originally created by @woodts on GitHub (Feb 18, 2021).

Environment

  • Python version: 3.8.5
  • NetBox version: 2.10.4

Steps to Reproduce

  1. Scan an existing Netbox installation with a vulnerability scanner such as Nessus ;
  2. Read Nessus report of clickjacking vulnerability and find that this vulnerability is caused by https://cardboard.atdd.noaa.gov/static/jquery-ui-1.12.1/index.html ;
  3. Remove/rename /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html to /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html.disabled ;
  4. chmod 000 /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html.disabled ;
  5. Rescan with vulnerability scanner ;
  6. Observe that vulnerability scanner no longer detects the vulnerability, as the file that triggers it is no longer accessible to Netbox.

Expected Behavior

Nessus not to find any vulnerabilities.

Observed Behavior

Nessus flagged a clickjacking vulnerability in /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html

Originally created by @woodts on GitHub (Feb 18, 2021). ### Environment * Python version: 3.8.5 * NetBox version: 2.10.4 * ### Steps to Reproduce 1. Scan an existing Netbox installation with a vulnerability scanner such as Nessus ; 2. Read Nessus report of clickjacking vulnerability and find that this vulnerability is caused by https://cardboard.atdd.noaa.gov/static/jquery-ui-1.12.1/index.html ; 3. Remove/rename /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html to /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html.disabled ; 4. chmod 000 /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html.disabled ; 5. Rescan with vulnerability scanner ; 6. Observe that vulnerability scanner no longer detects the vulnerability, as the file that triggers it is no longer accessible to Netbox. ### Expected Behavior Nessus not to find any vulnerabilities. ### Observed Behavior Nessus flagged a clickjacking vulnerability in /opt/netbox/netbox/static/jquery-ui-1.12.1/index.html
adam closed this issue 2025-12-29 18:37:52 +01:00
adam commented 2025-12-29 18:37:53 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Feb 22, 2021):

This issue is pending closure as it does not conform to one of the provided templates as required by the contributing guide. If you'd like to request that your issue be re-opened, please first update the content so that it matches the appropriate template (this may require rewriting your issue entirely).

@DanSheps commented on GitHub (Feb 22, 2021): This issue is pending closure as it does not conform to one of the [provided templates](https://github.com/netbox-community/netbox/issues/new/choose) as required by the [contributing guide](https://github.com/netbox-community/netbox/blob/master/CONTRIBUTING.md). If you'd like to request that your issue be re-opened, please first update the content so that it matches the appropriate template (this may require rewriting your issue entirely).
adam commented 2025-12-29 18:37:53 +01:00
Author
Owner
Copy Link

@woodts commented on GitHub (Feb 23, 2021):

I wish there were a template that related to this issue, but there is no security template for this project. I will attempt to make something look close in hopes that this issue gets looked at.

@woodts commented on GitHub (Feb 23, 2021): I wish there were a template that related to this issue, but there is no security template for this project. I will attempt to make something look close in hopes that this issue gets looked at.
adam commented 2025-12-29 18:37:53 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Feb 23, 2021):

The maintainers will not accept anything that does not include detailed steps for reproducing a suspected bug. Your issue above provides no such detail, hence its closure. FYI the mere indication by some analysis tool that the project includes a file containing code that might introduce a vulnerability if used in a certain way does not constitute a bug report. Please do not open another issue unless you can demonstrate a reproducible exploitation of the product in its unmodified form.

@jeremystretch commented on GitHub (Feb 23, 2021): The maintainers will not accept anything that does not include detailed steps for reproducing a suspected bug. Your issue above provides no such detail, hence its closure. FYI the mere indication by some analysis tool that the project includes a file containing code that _might_ introduce a vulnerability if used in a certain way does not constitute a bug report. Please do not open another issue unless you can demonstrate a reproducible exploitation of the product in its unmodified form.
adam commented 2025-12-29 18:37:54 +01:00
Author
Owner
Copy Link

@woodts commented on GitHub (Feb 23, 2021):

I've updated my report to fit the template requirement as best as I can determine. The details that I earlier provided weren't up to step-by-step reproduction; they should be now, provided you have a functioning Nessus vulnerability scanner at your disposal. The vulnerable component, despite its non-use from within Netbox, nonetheless is exposed via the nginx server and is, therefore, a legitimate vulnerability in that the vulnerable component is installed by default alongside the functional bits. The Netbox installation itself introduces this vulnerability onto the server on which it is installed - no modification by the user is required to expose this vulnerability other than the regular installation process. As you will see in my report, the problematic file is identified and a possible fix is included. My limited user testing found no functional impairment from performing the remediation steps I suggest above. My general suggestion would be to remove the index.html file completely instead of neutering it via my suggestion before packaging the app for distribution.

jeremystretch, your statement "the mere indication by some analysis tool that the project includes a file containing code that might introduce a vulnerability if used in a certain way does not constitute a bug report" demonstrates a disregard for and a lack of understanding of cybersecurity. The fact that a default installation of Netbox introduces a clickjacking vulnerability onto every machine on which it is installed is no trivial matter. It may not be a bug, per se, in the Netbox application itself, but it certainly is a problem to be distributing an application that opens a security hole. A small bit of housekeeping in the build environment for Netbox, namely neutering the vulnerable and AFAICT unused demo file from the jquery-ui package, would remedy this. Given there is no other means of reporting this issue to the maintainers than through this bug reporting system that has no explicit means to report security issues, I used the means provided to communicate the issue to those empowered to fix it.

@woodts commented on GitHub (Feb 23, 2021): I've updated my report to fit the template requirement as best as I can determine. The details that I earlier provided weren't up to step-by-step reproduction; they should be now, provided you have a functioning Nessus vulnerability scanner at your disposal. The vulnerable component, despite its non-use from within Netbox, nonetheless is exposed via the nginx server and is, therefore, a legitimate vulnerability in that the vulnerable component is installed by default alongside the functional bits. The Netbox installation itself introduces this vulnerability onto the server on which it is installed - no modification by the user is required to expose this vulnerability other than the regular installation process. As you will see in my report, the problematic file is identified and a possible fix is included. My limited user testing found no functional impairment from performing the remediation steps I suggest above. My general suggestion would be to remove the index.html file completely instead of neutering it via my suggestion before packaging the app for distribution. jeremystretch, your statement "the mere indication by some analysis tool that the project includes a file containing code that might introduce a vulnerability if used in a certain way does not constitute a bug report" demonstrates a disregard for and a lack of understanding of cybersecurity. The fact that a default installation of Netbox introduces a clickjacking vulnerability onto every machine on which it is installed is no trivial matter. It may not be a bug, per se, in the Netbox application itself, but it certainly is a problem to be distributing an application that opens a security hole. A small bit of housekeeping in the build environment for Netbox, namely neutering the vulnerable and AFAICT unused demo file from the jquery-ui package, would remedy this. Given there is no other means of reporting this issue to the maintainers than through this bug reporting system that has no explicit means to report security issues, I used the means provided to communicate the issue to those empowered to fix it.
adam commented 2025-12-29 18:37:54 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Feb 23, 2021):

What component specifically on the index page results in the clickjacking vulnerability?

Really, your issue should be with jquery, as they are the ones that provide the library.

@DanSheps commented on GitHub (Feb 23, 2021): What component specifically on the index page results in the clickjacking vulnerability? Really, your issue should be with jquery, as they are the ones that provide the library.
adam commented 2025-12-29 18:37:54 +01:00
Author
Owner
Copy Link

@woodts commented on GitHub (Feb 23, 2021):

DanSheps, I am not a jquery developer, so I can't speak to the code involved specifically. As the person responsible for the nginx server, however, the typical mitigations for such a vulnerability involve setting X-FRAME-OPTIONS and/or Content-Security-Policy headers with the appropriate values limiting the scope. Doing so for Netbox itself, within the confines of its own /etc/nginx/sites-enabled/netbox configuration file, doesn't cover the jquery-ui directory that's exposed by the default install. This requires its own set of mitigations, the easiest of which I've found is to just neuter/nuke the index.html as described above. Again, I can't speak to the Netbox code itself, so I didn't want to attempt to do anything specific with any of the other contents of the jquery-ui directory, out of concern that the other bits may be required for the proper functioning of Netbox.

Indeed, jquery and jquery-ui are part of the OpenJS Foundation, but being unaware of the development team structure for the jquery project, I specified the specific component. And I suppose were I industrious enough that I'd spin up a security issue report with them as well. However, again I'm not a developer, but I do use Netbox, and my vulnerability scanner does trigger a medium level alert which according to company policy has to be looked into.

@woodts commented on GitHub (Feb 23, 2021): DanSheps, I am not a jquery developer, so I can't speak to the code involved specifically. As the person responsible for the nginx server, however, the typical mitigations for such a vulnerability involve setting X-FRAME-OPTIONS and/or Content-Security-Policy headers with the appropriate values limiting the scope. Doing so for Netbox itself, within the confines of its own /etc/nginx/sites-enabled/netbox configuration file, doesn't cover the jquery-ui directory that's exposed by the default install. This requires its own set of mitigations, the easiest of which I've found is to just neuter/nuke the index.html as described above. Again, I can't speak to the Netbox code itself, so I didn't want to attempt to do anything specific with any of the other contents of the jquery-ui directory, out of concern that the other bits may be required for the proper functioning of Netbox. Indeed, jquery and jquery-ui are part of the OpenJS Foundation, but being unaware of the development team structure for the jquery project, I specified the specific component. And I suppose were I industrious enough that I'd spin up a security issue report with them as well. However, again I'm not a developer, but I do use Netbox, and my vulnerability scanner does trigger a medium level alert which according to company policy has to be looked into.
adam commented 2025-12-29 18:37:54 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Feb 23, 2021):

I'm so tired of people insulting me. Locked.

@jeremystretch commented on GitHub (Feb 23, 2021): I'm so tired of people insulting me. Locked.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#4577
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?