Siteminder AdminUI Susceptible to XSS Attacks
Article ID: 254139
Updated On:
Products
Issue/Introduction
The Siteminder AdminUI could be susceptible to Cross-Site Scripting (XSS) attacks when configured out of the box.
Example: https://adminui/iam/siteminder/console/ui7/<script>documentlocation="http://my_malicious_site/</script>
Environment
Release : 12.8.03; r12.8.4; r12.8.5; r12.8.6; r12.8.7
Cause
Like any web server or web application the hardening is not done OOTB. This needs to be configured.
Resolution
Option #1: Protect the Siteminder AdminUI with Siteminder Access Gateway. Implement the following in the Agent Configuration Object (ACO):
CSSChecking = yes
BadCSSChars = <,',>,%22
NOTE: Review the 'Help Prevent Attacks' section of the Siteminder product guide to determine if there are other characters you would like to implement as well as whether you wanted to also implement 'BadUrlChars', 'BadFormChars', 'BadQueryChars', 'IpChecking', etc.
Option #2: Implement the attached fix to filter the bad chars from within JBoss Wildfly on the Siteminder AdminUI.
1) Download "AdminUI-CharFilter.zip" (attached)
2) Installation instructions are in the 'readme.txt' file contained within.
Additional Information
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html
Attachments
Feedback
