search cancel

Siteminder AdminUI Susceptible to XSS Attacks

book

Article ID: 254139

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The Siteminder AdminUI could be susceptible to Cross-Site Scripting (XSS) attacks when configured out of the box.

Example: https://adminui/iam/siteminder/console/ui7/<script>documentlocation="http://my_malicious_site/</script>

 

 

 

 

Environment

Release : 12.8.03; r12.8.4; r12.8.5; r12.8.6; r12.8.7

Cause

Like any web server or web application the hardening is not done OOTB.  This needs to be configured.

Resolution

Option #1: Protect the Siteminder AdminUI with Siteminder Access Gateway.  Implement the following in the Agent Configuration Object (ACO):

CSSChecking = yes

BadCSSChars = <,',>,%22

NOTE: Review the 'Help Prevent Attacks' section of the Siteminder product guide to determine if there are other characters you would like to implement as well as whether you wanted to also implement 'BadUrlChars', 'BadFormChars', 'BadQueryChars', 'IpChecking', etc.

 

Option #2: Implement the attached fix to filter the bad chars from within JBoss Wildfly on the Siteminder AdminUI.

1) Download "AdminUI-CharFilter.zip" (attached)

2) Installation instructions are in the 'readme.txt' file contained within.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

Attachments

1668177560549__AdminUI-CharFilter.zip get_app