Re: SiteMinder Agent: Cross Site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: SiteMinder Agent: Cross Site Scripting
From: securityfocus@xxxxxxxxxxxxx
Date: 8 Nov 2007 15:08:57 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Would you explain in detail how this is a successful exploit?

I ran 
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
 against the current 6.0.5.11 SiteMinder Web Agent. 

This attempt is stopped with the following two errors in the Web Agent log.
1. Error.  No redirect target found in namespace.
2. unable to process FCC parameters. Returning SmNoAction.

SiteMinder only causes a redirect to smpwservices.fcc on certain conditions, 
it's not accessed directly, and it would not generate a URL with a query string 
that only includes SMAUTHREASON=<value>.

Or are you attempting to replace SMAUTHREASON=<value> with 
SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0 in the query string 
during the normal process with something like burp proxy?

I tested that as well, and the inserted code was ignored and didn't persist to 
the next step during the process.

Prev by Date: [OpenPKG-SA-2007.023] OpenPKG Security Advisory (perl)
Next by Date: [ GLSA 200711-12 ] Tomboy: User-assisted execution of arbitrary code
Previous by thread: SiteMinder Agent: Cross Site Scripting
Next by thread: Re: Re: SiteMinder Agent: Cross Site Scripting
Index(es):
- Date
- Thread