Open redirect vulnerability affwebservices Web Agent Option Pack?
search cancel

Open redirect vulnerability affwebservices Web Agent Option Pack?

book

Article ID: 191744

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

When running a Web Agent Option Pack, when user accesses resource /affwebservices/public/samlcc, the Target parameter is vulnerable to "Open Redirect", the http request can be modified to contain some arbitrary URL redirecting the user to this modified URL.

 

Environment

Web Agent Option Pack 12.52SP1CR10 on Tomcat on Linux

 

Resolution

There is an ACO parameter that can be set for the Web Agent Option Pack to force Web Agent Option Pack to validate the TARGET value against a white list (1)(2)(3).

So the GET action to an unknown target "xxxxxxx.example.com", will be validated by the Web Agent Option Pack before given the response to the browser.

GET /affwebservices/public/samlcc?TARGET=http://xxxxxxx.example.com&SAMLart=dsF1csdwedwdsads44dsa4w4wd44dslN5g%2BHadj2f2IwfY

 

Additional Information

(1)

Web Agent Option Pack :: ACO : Full List
ValidFedTargetDomain

Agent Setting for Federation Domains

(2)

ValidFedTargetDomain 

Defines valid domains for your federated environment See Agent Setting for Federation Domains.

list of agent configuration parameters
    

(3)

SAML Credential Collector Service URL (SAML 1.x)

The SAML Credential Collector service assists in consuming SAML 1.x assertions.

Default URL for this Service

https://consumer_server:port/affwebservices/public/samlcc

consumer_server:port - Identifies the web server and port hosting the Web Agent Option Pack or CA Access Gateway.

federation web services urls used by the product

 

Powered by Wolken Software