Remediation for vulnerabilities
search cancel

Remediation for vulnerabilities


Article ID: 129870


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Three vulnerabilities were found in WebAgent for IIS(8.5) and SPS.

(1) X-Frame-Options header isn't set
Because the X-Frame-Options header isn't set, it is vulnerable against "Clickjacking".
Target: entire site

Is this prevented by the following feature?

(2) Content Security Policy isn't set
Because of the Content Security Policy isn't set, Web browsers' protection function isn't enabled for preventing Injection attacks to HTML such as Cross-site Scripting.
Target: entire site

(3) Possibilities of redirecting to inappropriate URL by inserting a URL as a parameter.

Is it a solution to use "SecureURLs" ACO parameter?


Component: SMPLC


(1) Yes. The details are explained in the URL referred in the inquiry.

(2) Please implement Content Security Policy in the protected applications and contents if it is necessary. CA Single Sign-On doesn't have any special features for Content Security Policy (CSP).

(3) Yes. It's a solution to use "SecureURLs" ACO parameter.