Login.fcc page XSS vulnerability
Article ID: 204734
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running a Web Agent and we discovered that we can add the
following code in the Target value in order to get access to the
application.
accesskey="x" onclick="alert(1)"
Then when we send the following URL :
https://myserver.mydomain.com/siteminderagent/forms/login.fcc?TYPE=3355433&REALMOID=06-5ftdS393 [...]
and we get a popup reporting the value 1 :
.............
. .
. OK .
. .
. .
. 1 .
. .
.............
How can we fix this ?
Resolution
At first glance, it seems that urlencoding and urldecoding the TARGET
value in the .fcc will prevent that vulnerability, according to this
community thread :
Protecting FCC against attacks using encoding/decoding
– this tip describes how to protect the FCC using existing
siteminder mechanisms that are part of the language that make the
FCCC files programmable
So $$target$$ becomes $$urlencode(target)$$, for example. Then, to
make sure that the variable is properly decoded after a post
(important for hidden variables!!), place @variable=%decode
function(variable)% at the top of the file in the list of FCC
directives. Following my example, you’d add
@target=%urldecode(target)%
[...]
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=717969
You may check also ACO parameter as CSSChecking and BadCSSChars which
might be even more restrictive.
CSSChecking
Configure the Web Agent to Check For Cross-Site Scripting
To instruct the Web Agent to check a URL for characters that may be
part of an executable script, set the following agent configuration
parameter to Yes.
CSSChecking
Enable this parameter to configure the Web Agent to scan a full URL,
including the query string, for escaped and unescaped versions of the
following default character set:
- left and right angle brackets (< >)
- single quote (')
Default: Yes
BadCSSChars
Override the Default CSS Character Set
By default, the agent checks for the following default cross-site scripting character set:
Left and right angle brackets (< >)
Single quote (')
To override the default character set, use the BadCSSChars parameter.
BadCSSChars
Overrides the default cross-site scripting character set with the
characters of your choice. Include the entire string of characters
that you want. For example, include '\' to avoid Java script attacks.
Default: <,',> (A comma separates the characters.)
Example: <,>, \ (In this example, Agent scans only for the left and right angle brackets along with the backslash.)
Limits: Note the following guidelines:
The maximum number of characters is 4096, including commas, which
separate the characters.
Specify a range of characters by separating them with a hyphen. The
syntax is: starting_character - ending_character. For example, a-z is
a range of characters.
The BadCSSChars parameter does not interpret the double quotate marks
(") when it is entered as an ASCII character. To include the double
quote marks as a bad cross-site scripting character, enter the
hexidecimal equivalent of the ASCII character, which is %22. For
example: BadCSSChars="%22"
If the agent detects a problem related to the character set, it
returns an Access Denied message to the user, and the logs the
following message in the Agent error log:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html
Feedback
Yes
No
Powered by
