ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
XSS Vulnerabilities :: SmPwServices.fcc
Article ID: 50999
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
Description:
I am running Password Services, and when I am running Penetration Test, I discover that vulnerability has been found in the 'Change Password' form on the following parameters: SNENC, SMTOKEN, TARGET and USERNAME which compromise the security of the environment. How can I avoid this?
Solution:
Set the following ACO parameters:
Badurlchars
Csschecking
SecureURLs
If you are using a .fcc file for logout then in the logoffuri paramteer you need to set SMQUERYDATA. For e.g. logoffuri should be something like:
/AAA/logout.fcc?SMQUERYDATA=-SM-
and not /AAA/logout.fcc
Since SecureURLs is enabled, webagent will look for SMQUERYDATA in the url every time it process an .fcc file.
Environment
Release:
Component: SMAPC
Component: SMAPC
Feedback
Yes
No
Powered by
