search cancel

"Vulnerability in SMAUTHREASON is Exposed to Attack" in Web Agent 12.52


Article ID: 15117


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Is the Web Agent also affected by the vulnerability fixed in 12.52SP1CR04 ?


  Vulnerability in SMAUTHREASON is Exposed to Attack 


  The web agent vulnerability in SMAUTHREASON with non-numeric data is 

  exposed to JSP/JavaScript attack. 


  STAR Issue: 21589939-01, 21474394-01 


  RTC Issue: 137831, 137834/DE72676, DE72835 



Release: ETRSBB99000-12.52-SiteMinder-B to B


Yes. You need to upgrade the Web Agent to 12.52SP1CR04.


  The fix provided in 12.52SP1CR04 provides a 2 fixes for : 


  1 - Execution of code injected in the smauthreason when accessing a 

      .fcc form. 


  2 - Crash of the Web Agent when the hostname exceeds 256 



  Here are details about the 2 issues solved in the above mentionned

  fix :


  1 - Running a Web Agent, when accessing a .fcc page by trying to 

      inject some code, like this : 


      then a popup appears in the browser as the Web Agent execute the 

      injected code. 


      The fix make the Web Agent not to execute the code and report in 

      its logs : 




      [Warning. SMAUTHREASON parameter value is non-numeric] 


  2 - Running a Web Agent, and if this one received a request for which 

      the FQDN of the hostname is greater than 256 chars, then on Web Agent 

      running on SunOne, a crash was happening. 


      With the fix, no crash occurs with Web Agent on SunOne, and Web 

      Agent will show a note that the max of 256 has been exceeded. 



      [Hostname length exceeds maximum length per RFC:1035 sHost: ][][][][][][]