Adobe Connect Support Blog

January 23, 2019 /Security /Technotes /

Adobe Connect Addresses clickjacking Concerns

Problem Statement: Nessus scan indicates that the Connect application is susceptible to clickjacking

Environment:  Adobe Connect on-premise accounts only

Goal to be achieved:-

  • Enable account-specific X-Frame options to address clickjacking.
  • Connect has a configuration parameter, ENABLE_X_FRAME_OPTIONS, which if enabled will enforce cross frame scripting protection; the defaults setting is false/disabled.

Solution :

  • There will be two related, but different system-wide parameters: ENABLE_X_FRAME_OPTIONS to allow this, and FORCE_X_FRAME_OPTIONS to force it for everyone.
    • The default value for the (currently existing) parameter ENABLE_X_FRAME_OPTIONS, will be changed from false to true. Changing this to false will disable X-Frame options system-wide, overriding any account-specific setting.
    • The default value for the new parameter, FORCE_X_FRAME_OPTIONS, will be false. This exists so that we can force X-Frames options for all accounts. But given that there are accounts which seem to require the X-Frame options to be disabled, this might remain an optional parameter for some accounts.
  • A new feature (ID=177, FEATURE_X_FRAME_OPTIONS_FOR_ACCOUNT) will be added to track this option on a per-account basis.
    • This feature will be exposed in the Administration screen, under “More Settings” as the option “Configure X-Frame Options,” and will be unchecked/disabled by default. In other words, the per-account default will match what was previously the system-wide default. This will need to be enabled on an account-by-account basis. See Figure 1 below.
    • Obviously, this will only be editable if FORCE_X_FRAME_OPTIONS is false
    • If this option is checked, if X-Frames options are enabled, then the Allow From drop-down box will be enabled. It offers two options: SAMEORIGIN (default), or ALLOW-FROM (Figure 2 below)
    • If ALLOW-FROM is selected, then the Allow From URI input box is enabled for editing (Figure 3 below). It will be required if enabled, and there will be validation of this text.

Figure 1

 

 

 

Figure 2

Figure 3

Security, Technotes

Join the discussion

  • By Sergio Martin - 1:14 AM on January 25, 2019  

    Rahul,

    Are these settings configurable in the custom.ini file of a cluster node?

    ENABLE_X_FRAME_OPTIONS
    FORCE_X_FRAME_OPTIONS

    if they are IT should be mentioned above.

    Thanks,
    Sergio

    • By Rahul Chadha - 6:02 PM on January 31, 2019  

      Hi Sergio,
      I have responded on your email shared