Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clickjacking in Red5 Server and global Web.xml is not found #353

Open
LakshmiPhani7680 opened this issue Jul 15, 2024 · 9 comments
Open

Clickjacking in Red5 Server and global Web.xml is not found #353

LakshmiPhani7680 opened this issue Jul 15, 2024 · 9 comments

Comments

@LakshmiPhani7680
Copy link

LakshmiPhani7680 commented Jul 15, 2024
edited
Loading

Issue

Short description

Brief description of what happened
We are trying to add headers in red5 media server to avoid clickjacking, but unfortunately the headers aren't getting reflected, please get us a way to avoid the clickjacking vulnerability and how to add headers in red5 media server.

Environment

[] Operating system and version:
[] Java version: jdk8 we are using in red5
[] Red5 version: No idea how to find it.
@chushiyun2015
Copy link

chushiyun2015 commented Jul 15, 2024 via email

@mondain
Copy link
Member

mondain commented Jul 26, 2024

@LakshmiPhani7680 could you provide more information on the exploit?

@LakshmiPhani7680
Copy link
Author

Hi @mondain,
Thank you for the response, In general if i want to add request or response headers for the red5 server where i need to add? web.xml file in /webapps/vod/ somewhere in it right? or anywhere else? cause the red5 server which we are using has this clickjacking vulnerability because it doesn't have the desired headers to avoid this vulnerability.

@mondain
Copy link
Member

mondain commented Jul 26, 2024 via email

@LakshmiPhani7680
Copy link
Author

Hi @mondain,
Yeah sure, will send on monday. But can you please tell me in general how to add request/response headers like X-Frame-Options for Red5 media server?
Thank you

@mondain
Copy link
Member

mondain commented Jul 28, 2024

The default JEE container used in Red5 is Tomcat; so you'll want to look at that specifically. If I wanted to inject headers from the server side, I'd add a context listener or servlet filter.

@LakshmiPhani7680
Copy link
Author

Hi @mondain ,
Thank you for the response,
So without tomcat red5 won't work? or only the headers related?

@mondain
Copy link
Member

mondain commented Jul 28, 2024

The global web.xml for Tomcat is not used in Red5; each app has its own web.xml, so if you cannot sort it out there, you'll have to add a context listener or servlet filter.

@LakshmiPhani7680
Copy link
Author

I have added some tags in web.xml but not getting reflected, so placed proxy in front of red5, but just need to know like how to add for Red5 itself without using any other proxy servers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mondain @chushiyun2015 @LakshmiPhani7680