CVE-2003-1311 in a Siteminder Environment
search cancel

CVE-2003-1311 in a Siteminder Environment

book

Article ID: 402846

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

CVE-2003-1311

/siteminderagent/SmMakeCookie.ccc in SiteMinder does not ensure that the TARGET parameter names a valid redirection resource, which allows remote attackers to construct a URL that might trick users into visiting an arbitrary web site referenced by this parameter.

Environment

PRODUCT: Siteminder

COMPONENT: Web Agent, Access Gateway Server

VERSION: Any

OPERATING SYSTEM: Any

Cause

This issue isn't limited to the 'smmakecookie.cc'.  This can apply to any user request with Out of the Box configuration.  A user's web browser can be sent to any domain.

Resolution

The 'ValidTargetDomain' Agent Configuration object (ACO) is designed to prevent this from occurring.  This is a multi-valued parameter that restricts the Siteminder Web Agent from redirecting a user to any cookie domain other than the one(s) defined in the 'ValidTargetDomain' ACO parameter.

Define Valid Target Domains

Web Agents can help protect from phishing attempts that could redirect users to a hostile web site, with the following parameter:

ValidTargetDomain

Specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.

Default: No default

This parameter is supported by all advanced authentication schemes, including forms credential collectors (FCCs).

During processing, the ValidTargetDomain parameter identifies the valid domains for the target. Before redirecting the user, the Web Agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the Web Agent redirects the user to targets in any domain.

The ValidTargValidTargetDomain etDomain parameter can include multiple values, one for each valid domain.

For local Web Agent configurations, specify an entry, one on each line, for each domain, for example:

validtargetdomain=".<Domain>.com"

validtargetdomain=".<child_domain>.<Domain>.com"

Additional Information

Powered by Wolken Software