SPS affwebservices/router/session resources vulnerable to an XXE injection attack

book

Article ID: 7468

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

I'm running SPS and when reaching the following resource on it

 

    https://myserver.mydomain.com/affwebservices/router/session

 

we've found a vulnerability to an XXE injection attack. Indeed an attacker exploiting this vulnerability is able to retrieve confidential data and access sensitive files on the server, e.g. the Linux "/etc/passwd" file when SPS runs on Linux.

 

Cause

SiteMinder's "affwebservices" part contains two SOAP services: router and session. You can send a SOAP request to the endpoints with an external entity reference inside the parameter, this will cause an exception when the service tries to parse the contents of a requested system file (/etc/passwd, for example) into a valid date/timestamp. But the server response will show the content of the /etc/passwd file.

Environment

Policy Server 12.52SP1CR02SPS 12.52SP1

Resolution

This issue is fixed in SPS 12.52SP1CR06

 

When hitting the URL, the browser should received return code 404

 

00424351 DE172435

CA Access Gateway is vulnerable to an XXE injection attack and able to retrieve confidential data and access sensitive files on the server, for example the "passwd" file.

 

defects fixed in 1252sp1cr06