[Pentest Finding] Open Redirect Vulnerability in affwebservices
book
Article ID: 191744
calendar_today
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On Agents (SiteMinder)CA Single Sign On Federation (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)SITEMINDER
Issue/Introduction
We're running a Web Agent Option Pack and we've found a vulnerability.
When user accesses resource /affwebservices/public/samlcc, the Target parameter is vulnerable to "Open Redirect", the http request can be modified to contain some arbitary URL redirecting the user to this modified URL.
How can we fix this ?
Environment
Web Agent Option Pack 12.52SP1CR10 on Tomcat on Linux
Resolution
At first glance, there's an ACO parameter you can set for the Web Agent Option Pack to force Web Agent Option Pack to validate the TARGET value against a white list :
So the GET action to an unknown target "mybadserver.mybaddomain.com", will be validated by the Web Agent Option Pack before given the response to the browser.
GET /affwebservices/public/samlcc?TARGET=http://mybadserver.mybaddomain.com&SAMLart=dsF1csdwedwdsads44dsa4w4wd44dslN5g%2BHadj2f2IwfY