The information security team at Western Washington University has identified two issues with our current installation of WeBWork version 2.15.
The first is the jQuery version is out of date. I know in other systems I maintain the jQuery package itself has been patched, I just can't find any documentation here on the wiki that it has been done so in WeBWork. Is there any concern with running the current version of jQuery. If I was to try to upgrade jQuery, where is that done in WeBWork?
This is the alert from our InfoSec team:
- According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.
The second item follows:
- The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
Is it appropriate to simply set via .htaccess something like,
X-Frame-Options: SAMEORIGIN
or will that potentially break functionality of WeBWork?
Thank you for the guidance.
With appreciation,
Max