CVE-2022-46061: CVE/registration_ClickJacking.md at master · rdyx0/CVE

Permalink

registration_ClickJacking****Description

AeroCMS v0.0.1 is vulnerable to ClickJacking.Attackers can use this vulnerability to deceive users to click, causing losses to individuals and platforms.

Exploit

1、The following takes registration.php as an example

To detect whether there is a ClickJacking vulnerability, here we find that the response packet does not contain the X-Frame-Options: deny field, then we can construct an HTML file locally and use an iframe to include this page

<html> <head> <title>Clickjacking</title> </head> <body> <iframe src="http://localhost/AeroCMS-0.0.1/registration.php" width="900" height="700" /> </body> </html>

We can successfully load this page