SDM: Vulnerability with PDMWEB LINK_WITH_BOPSID URL open redirect

book

Article ID: 132290

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect
the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the  modified link is identical to the original site, phishing attempts may have  a more trustworthy appearance. Unvalidated redirect and forward attacks can  also be used to maliciously craft a URL that would pass the application's access control check and then forward the attacker to privileged functions  that they would normally not be able to access.

The pdmweb.exe "LINK_WITH_BOPSID+URL" parameter is the key component to this vulnerability with regards to Service Desk, in which the given variable can be exploited to house the aforementioned untrusted and unauthorised URL. 

Environment

CA Service Desk Manager 14.1 and 17.1

Resolution

There is a setting that is available with CA Service Desk Manager, starting with 14.1 CP5 and 17.1 GA.  The setting is the NX variable: @NX_VALID_EXT_URLS 
which when set to a semicolon separated list of valid URLs, will validate the URL parameter against this white-list. If the URL is invalid, the redirect is blocked.

This option can be installed by running the following command from the Command Prompt on the Primary server machine: 

pdm_options_mgr -c -s VALID_EXT_URLS -v URL1; URL2; URL3 -a pdm_option.inst 

To avoid losing the change when you run pdm_configure, please run the above command with the '-t' flag as follows: 

pdm_options_mgr -c -s VALID_EXT_URLS -v URL1; URL2; URL3 -a pdm_option.inst -t 

In the above, URL1, URL2, URL3 etc., below are the only allowed ones from that point on, ie: 

pdm_options_mgr -c -s VALID_EXT_URLS -v http://www.domain1.com; http://www.domain2.com; http://www.domain3.com -a pdm_option.inst

As with any changes in Options Manager, you will need to install the above setting and schedule a recycle of SDM Services for the change to take effect.