URL redirect vulnerability in DX NetOps Performance Management Portal

book

Article ID: 210411

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Please see the detailed description below of the URL redirection vulnerability within Performance Center that we have discovered and need to get fixed.

A page within the Performance Center web application made use of the SsoRedirectUrl parameter as the location for a redirect response. This leads to a situation in which a URL which appears to be associated with the Performance Center web application, and therefore trustworthy to regular KCOM customer users, could in fact be used to redirect the user to a site under the control of an attacker.

This type of vulnerability is often used to launch site impersonation, or phishing attacks, in which unsuspecting users are lured to malicious sites with seemingly-legitimate links. The attacker is then free to present the user with what appears to be genuine content, in an attempt, for example, to capture authentication credentials.

The following URL redirects an authenticated user to the Performance Center web application:

https://<PC_HOST>/.../saml2sso?SAMLRequest=...&RelayState=SsoProductCode%3Dpc%26SsoRedirectUrl%3Dhttps%3A%2F%2F<PC_HOST>%3A8182%2Fpc%2Fdesktop%2Fpage

The following URL shows that it was possible to change the value of the SsoRedirectUrl with a different URL (notice the change to the end of the URL which contains an external website link):

https://<PC_HOST>/.../saml2sso?SAMLRequest=...&RelayState=SsoProductCode%3Dpc%26SsoRedirectUrl%3Dhttps%3A%2F%2Fwww.google.com

The user would be initially redirected to the authentication page if not authenticated, and then to the malicious URL, otherwise the user will be redirected straight to the malicious URL.   

Another example of open redirection can be achieved by using one of the URLs used to redirect an authenticated user to the home page of the Performance Center web application. The following URL was used by the web application to redirect a user to the home page:

https://<PC_HOST>/pc/redirector

During the assessment it was discovered that the URL accepted a parameter in the query string called url, which was then redirecting the user to an arbitrary location. The following example shows that it was possible to redirect an authenticated user to an arbitrary URL with the following:

https://<PC_HOST>/pc/redirector?url=https://www.google.com

Environment

All supported DX NetOps Performance Management releases

Resolution

The SAML2 related Sso URL Redirect problem will be resolved via DE492291.

The PC related URL Redirect problem will be resolved via Feature F110587.

The solution for both problems are expected to be included in the DX NetOps Performance Management r21.2.x release when available. That is an ETA and may be subject to change.