what you don't know can hurt you

Security Notice For CA SiteMinder

Security Notice For CA SiteMinder
Posted Mar 5, 2010
Authored by Ken Williams | Site www3.ca.com

CA's support is alerting customers to a security risk with CA SiteMinder. Multiple cross site scripting (XSS) vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information. CA has provided guidance to remediate the vulnerability.

tags | advisory, remote, vulnerability, xss
advisories | CVE-2009-3731
MD5 | c5e4abac93849cb90447a5c73fd5b883

Security Notice For CA SiteMinder

Change Mirror Download
CA20100304-01: Security Notice for CA SiteMinder


Issued: March 04, 2010


CA's support is alerting customers to a security risk with CA
SiteMinder. Multiple cross site scripting (XSS) vulnerabilities
exist that can allow a remote attacker to potentially gain
sensitive information. CA has provided guidance to remediate the
vulnerability.

The vulnerabilities, CVE-2009-3731, are due to insufficient
validation of input strings. An attacker can potentially steal
network domain credentials by enticing a user to visit a web page
that contains malicious content.


Risk Rating

Low


Platforms

Windows
Solaris
HP-UX
Red Hat Linux


Affected Products

CA SiteMinder 6.0 (SP4 and earlier)


How to determine if the installation is affected

The vulnerability is caused by an issue with the publishing tool
used to create the online help and HTML documentation for older CA
SiteMinder releases (6.0 SP4 and earlier). This vulnerability
affects CA SiteMinder in the following ways:

* HTML versions of the product documentation for SiteMinder can
be deployed on an individual system or through a web server. If
product documentation has been deployed on a web server the
SiteMinder 6.0 installation is vulnerable.

* Online help systems for SiteMinder are deployed and accessible
through a web server. This vulnerability applies to help systems.

In both cases, this vulnerability applies if web access to the
associated web servers has been configured to make use of
non-public (client-specific) information.


Solution

CA SiteMinder:

* Upgrade Policy Servers to the latest service pack for SiteMinder
6.0. Remove older versions of the product documentation from your
servers.

or

* For Integrated Document sets, if you have deployed the HTML
version of documentation to a web server, move the documentation
to a file server and delete the documentation from the web server.

* For Online Help systems, remove the help systems from the
application folders and place them on a file system for future
reference. Note that this will cause help links to fail in the
associated applications.

The folders that contain help systems are:

o Administrative UI Help:
<policy server home>\admin\help

o Policy Server Management Console Help:
<policy server home>\bin\smconsole-help

o SiteMinder Test Tool Help:
<policy server home>\bin\smtest-help


References

CVE-2009-3731 - WebWorks Help XSS


Acknowledgement

CVE-2009-3731 - Daniel Grzelak and Alex Kouzemtchenko of stratsec
(www.stratsec.net)


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Support
at https://support.ca.com.

If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782



Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team


CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2010 CA. All rights reserved.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close