Arbitrary code can be executed in the login.fcc page if the user use Internet Explorer browser.
search cancel

Arbitrary code can be executed in the login.fcc page if the user use Internet Explorer browser.

book

Article ID: 92573

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running Web Agent and when the protected resources has a "
character in the query part of the URL, then arbitrary code can be
executed in the login.fcc page if the user use Internet Explorer
browser. This issue cannot be reproduced with other browser.

This seems to be an issue in IE (1). 

 

Resolution

 

In the Web Agent ACO, set the following Parameter : 

  fcchtmlencoding to yes (2)

to solve this vulnerability introduced by the Internet Explorer
behavior.

 

Additional Information

 

(1)

   IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say

     "Internet Explorer (IE) doesn't encode double quote characters (")
     in the query part of the uniform resource identifier (URI)," Rob
     Rachwald, Imperva's director of security strategy, said in a blog
     post.

     "This behavior, besides being non standard (as stated by RFC 3986
     [the Internet Engineering Task Force memorandum describing the
     generic URI syntax] and implemented by other browsers including
     Chrome or Firefox) may expose IE users to reflected XSS attacks,"
     he said.
 
   https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html


(2)

    Help Prevent Attacks

      To prevent cross-site scripting attacks against the web agent FCC
      pages, use HTML encoding to ensure that your FCC variable data is
      rendered correctly.

      HTML encoding ensures that the characters are treated as their literal
      value and not as HTML syntax. Encoding ensures that the damaging
      cross-site scripting syntax is rendered as literal text as it must
      appear and that the browser does not execute the code while rendering
      the HTML form. You can encode all the syntax that could be misused
      during an attack.

      The fcchtmlencoding parameter instructs an agent to apply an HTML
      encoding algorithm to all the values inserted into the FCC variables
      that have the following syntax:

        $$varname$$

      If the characters that are traditionally blocked are necessary in the
      FCC data, then enable the fcchtmlencoding parameter.

      fcchtmlencoding

      Specifies whether the HTML encoding is enabled to prevent Cross-Site
      Scripting attacks against web agent FCC pages. This parameter does not
      block any characters.

        Values: Yes and No.
        Default: No

      The fcchtmlencoding parameter applies to all the variable
      substitutions for all the FCC forms. An agent using this parameter can
      serve one or more FCC forms

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8.html

 

Powered by Wolken Software