XSS Vulnerability in Siteminder Post Preservation Page
search cancel

XSS Vulnerability in Siteminder Post Preservation Page

book

Article ID: 387898

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

It is possible to execute arbitrary Javascript code such as \"><img src=x onerror=vc0d3(7807354796)> into an output parameter by breaking out of an HTML elements attribute on

https://server.domain.com/ac/SmMakeCookie.ccc?SMSESSION=QUERY&PERSIST=0&TARGET=$SM$https%3a%2f%2fserver%2edomain%2ecom%2fdirectory%2fdirectory%2ffile%2edo.

After breaking out of the attribute it is possible to create additional events that when the event is triggered, such as moving the mouse over the element, will cause the injected code to execute. This form of Cross-Site Scripting is considered persistent XSS due to the fact that once the injected data is sent to the server, it is stored and persists across requests. This can have varying consequences depending on where and to whom the inserted data is displayed. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis. 

Environment

PRODUCT: Symantec Siteminder

COMPONENT: 

VERSION: r12.8.8.1 and older

OS: ANY

Cause

  • If the name of the form field is enclosed in a single quote (') then the web browser will encode the special characters in the POST request
  • If the name of the form field is NOT enclosed in a single quote (') then the browser will NOT encode the special characters in the POST request

 
==============================
<INPUT TYPE="HIDDEN" NAME="namevalue"><script>alert(1)</script>" VALUE="NA">  
==============================
 
(Above) the NAME= field is enclosed in double quotes ("). The web browser will NOT encode special characters when data is HTTP posted.  Since special characters are not encoded, the script is executed. 

 

==============================
<INPUT TYPE="HIDDEN" NAME='namevalue'><script>alert(1)</script>' VALUE="NA">
==============================
 
(Above) the NAME= field is enclosed in single quotes ('), the browser WILL encode special characters when data is HTTP posted. 

 

Here is the example when it is properly encoded during POST:

NAME='namevalue%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E=NA'

Resolution

Ideally, the solution is to modify the form to use single-quotes for the values.  This will ensure that the web browser will encode the values rendering the script unable to be executed. 

Future versions of the Siteminder Access Gateway Server and Web Agent will instead modify the value from the fcc page and set the value to single quote (') on the redirect response.  This will ensure that the web browser will encode the special characters. 

Powered by Wolken Software