shim.fcc realmoid vulnerability

book

Article ID: 224839

calendar_today

Updated On:

Products

CA Risk Authentication

Issue/Introduction

In response to the input name: realmoid vulnerability in shim.fcc, we were recommended to set ACO's BadFormChars, but the Security Team pointed out the following.

========================
We would not recommend the use of a deny-list/blacklist approach as this is not an appropriate fix to prevent against a cross site scripting vulnerability. This type of fix would be regarded as band aid/temporary fix rather than a mitigation. The use of such approach will only block certain characters or payloads that are part of the deny list. There are thousands of payloads that an attacker can use to exploit this vulnerability. Therefore, we would likely see this issue be reported again in the future as the attacker was able to bypass this approach.
========================

Therefore, we are required to take another action.

There is no realmoid in SiteMinder's login.fcc and smpwservices.fcc.

login.fcc is as follows except for USER and PASSWORD.

<input type=hidden name=target value="$$target$$">
<input type=hidden name=smquerydata value="$$smquerydata$$">
<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smagentname value="$$smagentname$$">
<input type=hidden name=postpreservationdata value="$$postpreservationdata$$">


Below is shim.fcc. Is it possible to remove realmoid from shim.fcc as well as login.fcc?

<input type=hidden name=target value="$$target$$">
<input type=hidden name=smauthreason value="$$smauthreason$$">
<input type=hidden name=smagentname value="$$smagentname$$">
<input type=hidden name=type value="$$type$$">
<input type=hidden name=realmoid value="$$realmoid$$">

Environment

Release : 9.1

Component : RiskMinder(Arcot RiskFort)

Resolution

You can comment the realmoid parameter from the shim.fcc and shimfinal.fcc file like below

<!--input type=hidden name=realmoid value="$$realmoid$$"-->

and test the solution, It should work fine and we have tested locally and it works just fine.