Is there any particular reason to include "./" and "/." to bad URL characters of Agent Configuration Object?
search cancel

Is there any particular reason to include "./" and "/." to bad URL characters of Agent Configuration Object?


Article ID: 54477


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



What is the exact reason to list "./" and "/." as bad URL characters in the Agent Configuration Object? What are the impacts if these parameters are removed from bad URL characters?


"." has an intrinsic meaning for UNIX based file systems. "." is typically "current working directory", and ".." is "parent directory". There have been a series of "directory traversal" attacks against misconfigured web-servers where the URL is:

http://host.domain/../../../../../../etc/passwd etc.

The idea is to trick the web-server into serving a text file that is not supposed to be available.

There are many ways to mitigate these sorts of attacks, of which one is to include "/." as a BadUrlCharacter, in addition to properly setting file-system permissions and not running the web-server as a privileged user.

In addition to the above mentioned point there are a few more considerations to this.

First, most modern web servers will pre-translate URLs with ../../../ in them before invoking SiteMinder. That means the agent will get the final URL instead of needing to understand directory traversal. Having "/." and "./" in BadUrlChars is an additional layer of security for those web-servers who might have vulnerabilities to directory traversal. Because of this, removing "/." from BadUrlChars also opens a window of vulnerability. Consider the following:

Instead of protecting a parent directory (like /) one protects /protected, and there are other unprotected resources in peer-directories (like /unprotected). If you remove both "/." and "./" from BadUrlChars from the ACO you are now vulnerable to the following directory traversal attack that will bypass SiteMinder:


>Keeping at least one of "/." and "./" is highly recommended, unless the access rules for the realm are very broad.


Component: SMPLC