Federation SMPORTALURL OpenRedirect Vulnerability to undesired site
search cancel

Federation SMPORTALURL OpenRedirect Vulnerability to undesired site

book

Article ID: 12269

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

Federation SMPORTALURL can be manipulated and poses an OpenRedirect Vulnerability.

How can the Federation SMPORTALURL be secured from OpenRedirect Vulnerability as today it can be manipulated and the user can be redirected to a malicious target?

How to validate the value of SMPORTALURL before the browser gets redirected to it. This is to prevent the request from being directed to an undesired site.

 

Resolution

 

The SMPORTALURL Vulnerability was addressed within the 12.52 SP1 Release where a "Use Secure URL" check box was introduced to encrypt only the SMPORTALURL query parameter (1)(2).

The encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website.

 

Additional Information

 

(1)

    Use Secure URL

      This setting instructs the single sign-on service to encrypt
      only the SMPORTALURL query parameter. An encrypted SMPORTALURL
      prevents a malicious user from modifying the value and
      redirecting authenticated users to a malicious website. The
      SMPORTALURL is appended to the Authentication URL before the
      browser redirects the user to establish a session. After the
      user is authenticated, the browser directs the user back to the
      destination specified in the SMPORTALURL query parameter.

      If you select the User Secure URL check box, complete the
      following steps:

      1. Set the Authentication URL field to the following URL:
         http(s)://idp_server:port/affwebservices/secure/secureredirect

    

(2)

    Defects Fixed in 12.52 SP1 CR06

      | Salesforce Case Number | Internal Defect ID | Issue Description                 |
      |------------------------+--------------------+-----------------------------------|
      |               00355124 | DE159107           | SMPORTALURL query value can       |
      |               00454067 | DE198549           | be manipulated as it does not get |
      |                        |                    | encrypted while redirecting to    |
      |                        |                    | redirect.jsp                      |