Path Traversal not being blocked
search cancel

Path Traversal not being blocked

book

Article ID: 414184

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

SiteMinder web agent has been configured to block malicious sites via the BadURLChars ACO parameter, for instance

badurlchars='//,./,/.,/*,*.,~,,%00-%1f,%7f-%ff,%25,/../'.

However, it is observed that when accessing a certain resource performing a Path Traversal attack

https://<web_server>/<resource>/../<target_dir>

This is not being blocked by Siteminder

Cause

In the Web Agent trace one can see the following

10/08/2025|14:59:35|||Resolved agentname: '<agent_name>'.|
10/08/2025|14:59:35|||Resolved Client IP address '<client_status>'.|
10/08/2025|14:59:35|||Resolved URL: '/<resource>/../<target_dir>'.|
10/08/2025|14:59:35|||Auto-authorizing resource, matches IgnoreUrl filter.|
10/08/2025|14:59:35||/main.js|Autoauthorizing URL : https://<web_server>/<resource>/../<target_dir>
10/08/2025|14:59:35||/main.js|Resolved METHOD: 'GET'.|
10/08/2025|14:59:35||/main.js|Resolved cookie domain: '.<domain_name>'.|GET
10/08/2025|14:59:35||/main.js|Resource is autoauthorized. skip processing the request|GET
10/08/2025|15:00:15|||LogMessage:INFO:[sm-AgentFunc-00040] Agent API has been released.|

And looking at the web agent log one can see that the Ignoreurl ACO is set

[198827/2406602496][Wed Oct 08 2025 15:03:54] ignoreurl='http://xxx/<resource>'.

If IgnoreURL is defined (1), SiteMinder will not protect the URI specified for that ACO parameter, therefore access will be granted even if the agent is supposed to not allow access to potentially malicious URL by setting the BadURLChars ACO parameter
 

 

Resolution

Comment out the IgnoreURL ACO parameter or, if this is needed, then implement native protection against Path Traversal in the web server where the SiteMinder Web Agent is running

Additional Information

Powered by Wolken Software