SDM: Vulnerability with PDMWEB LINK_WITH_BOPSID URL open redirect
book
Article ID: 132290
calendar_today
Updated On:
Products
SUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceCA Service Desk ManagerCA Service Management - Asset Portfolio ManagementCA Service Management - Service Desk Manager
Issue/Introduction
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application's access control check and then forward the attacker to privileged functions that they would normally not be able to access.
The pdmweb.exe "LINK_WITH_BOPSID+URL" parameter is the key component to this vulnerability with regards to Service Desk, in which the given variable can be exploited to house the aforementioned untrusted and unauthorised URL.
Environment
CA Service Desk Manager 14.1 and 17.1
Resolution
There is a setting that is available with CA Service Desk Manager, starting with 14.1 CP5 and 17.1 GA. The setting is the NX variable: @NX_VALID_EXT_URLS which when set to a semicolon separated list of valid URLs, will validate the URL parameter against this white-list. If the URL is invalid, the redirect is blocked.
This option can be installed by running the following command from the Command Prompt on the Primary server machine:
pdm_options_mgr -c -s VALID_EXT_URLS -v URL1; URL2; URL3 -a pdm_option.inst
To avoid losing the change when you run pdm_configure, please run the above command with the '-t' flag as follows:
In the above, URL1, URL2, URL3 etc., below are the only allowed ones from that point on, ie:
pdm_options_mgr -c -s VALID_EXT_URLS -v http://www.domain1.com; http://www.domain2.com; http://www.domain3.com -a pdm_option.inst
As with any changes in Options Manager, you will need to install the above setting and schedule a recycle of SDM Services for the change to take effect.