exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

A091100-1

A091100-1
Posted Sep 13, 2000
Site atstake.com

Atstake Security Advisory - Netegrity's SiteMinder is a web access control product for Solaris and Windows NT that implements various authentication mechanisms to protect content on websites. Due to an error in SiteMinder's URL parsing, it is possible for an attacker to bypass the authentication phase and view protected web pages directly.

tags | web
systems | windows, solaris
SHA-256 | e0d3f793315991d1bfe7a1596da57ae4a879f58a9bf6b103ecee5c49798552b3

A091100-1

Change Mirror Download
----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@stake Inc.
www.atstake.com

Security Advisory

Advisory Name: SiteMinder Access Control Bypass (A091100-1)
Release Date: 09/11/2000
Application: Netegrity SiteMinder 3.6, 4.0
Platform: Solaris 2.x, Windows NT
Severity: Access control mechanism can be bypassed
Authors: David Litchfield (dlitchfield@atstake.com)
Mark Litchfield (mlitchfield@atstake.com)
Contributors: Frank Swiderski (fes@atstake.com)
Vendor Status: Vendor has released a patch
Web: www.atstake.com/research/advisories/2000/a091100-1.txt


Overview:

Netegrity's SiteMinder
(http://www.netegrity.com/products/siteminder.html) is a web access
control product for Solaris and Windows NT that implements various
authentication mechanisms to protect content on websites. It
features native integration with industry-standard LDAP, NDS, and
NT directory services as well as SQL databases.

SiteMinder supports more fine-grained access control than is
normally provided by web servers. For example, user access can be
restricted to the level of buttons or form fields whereas web servers
generally restrict access at the page level.

Due to an error in SiteMinder's URL parsing, it is possible for
an attacker to bypass the authentication phase and view protected web
pages directly.


Detailed Description:

SiteMinder's authentication mechanism can be bypassed by using
a properly crafted URL. For example, assume the following web page
is protected:

http://www.mysite.com/cgi-bin/secrets.html

Normally, if someone were to try accessing this page, SiteMinder
would intercept the request and prompt for a username and password
before allowing the user to execute the script and view the results.
However, the user can make a small modification to the URL to avoid
the authentication phase:

http://www.mysite.com/cgi-bin/secrets.html/$/foo.ccc

When using a URL crafted in this manner, SiteMinder appears to
ignore its access control policy and simply allows the requested page
to be served to the attacker with no further prompting.

This vulnerability can be used not only to view static web pages,
but also to execute CGI applications and to view server-side source
code. Again, all of these actions can be performed without ever
being prompted for authorization. Example URLs are as follows:

To execute a CGI application:

http://www.mysite.com/cgi-bin/restricted.cgi$/foo.ccc?subject=blah

To view the source code for that CGI application:

http://www.mysite.com/cgi-bin/restricted.cgi/$/foo.ccc

To execute a servlet:

http://www.mysite.com/applets/restricted/$/foo.ccc?query=blah


In the example URL, the non-existent file "foo.ccc" is used
after the "$/" delimiter; however, any filename can be used here
provided it has an extension of .ccc, .class, or .jpg (and possibly
others that have not yet been discovered).


Vendor Response (received via email from Netegrity):

Netegrity identified and fixed this issue earlier this year. The
issue does not exist in the currently shipping SiteMinder 4.11
product, which has already been distributed to all customers on
maintenance. Customers using previous versions of SiteMinder have
been notified of the issue and alerted that they can download the
patch from the customer support section of the Netegrity web site.
Customers can also call customer service at 800-325-9870 with any
questions or concerns.


Recommendations:

First install the vendor patch. The patch does *not* fix the
protection of URLs that do not have a file extensions which is
commonly the case for CGI programs and servlets. An example is the
following:

http://www.mysite.com/applets/restricted

In this case add a file extension so that the patch will work.

http://www.mysite.com/applets/restricted.applet



For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBObzUJFESXwDtLdMhEQIN7ACcDOTd1yzs9Tj+QNeylT3zHY3clnMAoJ83
wjBdhSk2Qbq6/6klpyOKClN5
=I27D
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close