ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Vulnerability Found in the Login URL Using %22 (Double Quote Character)

book

Article ID: 212453

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

We have a custom login page deployed and it looks like when you put in a script in the URL like = accesskey="x"onclick="alert(1)"// 

Example: https://www2.xxxx.com/siteminderagent/forms/ipslogin.fcc?TARGET=-SM-HTTPS:%2F%2F%22accesskey%3D%22x%22onclick%3D%22alert(1)%22%2F%2Fz43jn

can pop up with a error. 

We were able to reproduce this only in Firefox and not on any other browsers.  How can we prevent this type of attack.

Cause

The Web Agent had not been configured to block the risky characters used in the attack, namely the double quote character (%22).

Environment

Release : ALL

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Add %2522 to the BadQueryChars ACO parameter to block use of double quotes in request query strings.  Alternatively, %22 can be added to the BadURLChars ACO parameter.