Login.fcc page XSS vulnerability
search cancel

Login.fcc page XSS vulnerability


Article ID: 204734


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a Web Agent and we discovered that we can add the
following code in the Target value in order to get access to the

  accesskey="x" onclick="alert(1)"

Then when we send the following URL :

https://myserver.mydomain.com/siteminderagent/forms/login.fcc?TYPE=3355433&REALMOID=06-5ftdS393 [...]

and we get a popup reporting the value 1 :

   .     .
   .  OK   .
   .         .
   .         .
   .  1       .
   .           .    

How can we fix this ?




At first glance, it seems that urlencoding and urldecoding the TARGET
value in the .fcc will prevent that vulnerability, according to this
community thread :

  Protecting FCC against attacks using encoding/decoding

    – this tip describes how to protect the FCC using existing
    siteminder mechanisms that are part of the language that make the
    FCCC files programmable

    So $$target$$ becomes $$urlencode(target)$$, for example. Then, to
    make sure that the variable is properly decoded after a post
    (important for hidden variables!!), place @variable=%decode
    function(variable)% at the top of the file in the list of FCC
    directives. Following my example, you’d add



You may check also ACO parameter as CSSChecking and BadCSSChars which
might be even more restrictive.


  Configure the Web Agent to Check For Cross-Site Scripting

    To instruct the Web Agent to check a URL for characters that may be
    part of an executable script, set the following agent configuration
    parameter to Yes.


    Enable this parameter to configure the Web Agent to scan a full URL,
    including the query string, for escaped and unescaped versions of the
    following default character set:

      - left and right angle brackets (< >)
      - single quote (')

      Default: Yes


  Override the Default CSS Character Set

  By default, the agent checks for the following default cross-site scripting character set:

    Left and right angle brackets (< >)
    Single quote  (')

  To override the default character set, use the BadCSSChars parameter.


    Overrides the default cross-site scripting character set with the
    characters of your choice. Include the entire string of characters
    that you want. For example, include '\' to avoid Java script attacks.

      Default: <,',> (A comma separates the characters.)
      Example: <,>, \ (In this example, Agent scans only for the left and right angle brackets along with the backslash.)

    Limits: Note the following guidelines:

    The maximum number of characters is 4096, including commas, which
    separate the characters.

    Specify a range of characters by separating them with a hyphen. The
    syntax is: starting_character - ending_character. For example, a-z is
    a range of characters.

    The BadCSSChars parameter does not interpret the double quotate marks
    (") when it is entered as an ASCII character. To include the double
    quote marks as a bad cross-site scripting character, enter the
    hexidecimal equivalent of the ASCII character, which is %22. For
    example: BadCSSChars="%22"

    If the agent detects a problem related to the character set, it
    returns an Access Denied message to the user, and the logs the
    following message in the Agent error log: