Description:

What is the exact reason to list "./" and "/." as bad URL characters in the Agent Configuration Object? What are the impacts if these parameters are removed from bad URL characters?

Solution:

"." has an intrinsic meaning for UNIX based file systems. "." is typically "current working directory", and ".." is "parent directory". There have been a series of "directory traversal" attacks against misconfigured web-servers where the URL is:

http://host.domain/../../../../../../etc/passwd etc.

The idea is to trick the web-server into serving a text file that is not supposed to be available.

There are many ways to mitigate these sorts of attacks, of which one is to include "/." as a BadUrlCharacter, in addition to properly setting file-system permissions and not running the web-server as a privileged user.

In addition to the above mentioned point there are a few more considerations to this.

First, most modern web servers will pre-translate URLs with ../../../ in them before invoking SiteMinder. That means the agent will get the final URL instead of needing to understand directory traversal. Having "/." and "./" in BadUrlChars is an additional layer of security for those web-servers who might have vulnerabilities to directory traversal. Because of this, removing "/." from BadUrlChars also opens a window of vulnerability. Consider the following:

Instead of protecting a parent directory (like /) one protects /protected, and there are other unprotected resources in peer-directories (like /unprotected). If you remove both "/." and "./" from BadUrlChars from the ACO you are now vulnerable to the following directory traversal attack that will bypass SiteMinder:

http://host.domain/unprotected/../../../../protected/secret.html

>Keeping at least one of "/." and "./" is highly recommended, unless the access rules for the realm are very broad.