SDM: Vulnerability with PDMWEB LINK_WITH_BOPSID URL open redirect
Article ID: 132290
SUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceKNOWLEDGE TOOLSCA Service Management - Asset Portfolio ManagementCA Service Management - Service Desk Manager
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application's access control check and then forward the attacker to privileged functions that they would normally not be able to access.
The pdmweb.exe "LINK_WITH_BOPSID+URL" parameter is the key component to this vulnerability with regards to Service Desk, in which the given variable can be exploited to house the aforementioned untrusted and unauthorised URL.
CA Service Desk Manager 14.1 and 17.1
There is a setting that is available with CA Service Desk Manager, starting with 14.1 CP5 and 17.1 GA. The setting is the NX variable: @NX_VALID_EXT_URLS which when set to a semicolon separated list of valid URLs, will validate the URL parameter against this white-list. If the URL is invalid, the redirect is blocked.
This option can be installed by running the following command from the Command Prompt on the Primary server machine:
pdm_options_mgr -c -s VALID_EXT_URLS -v URL1; URL2; URL3 -a pdm_option.inst
To avoid losing the change when you run pdm_configure, please run the above command with the '-t' flag as follows: