full-disclosure - Re: SiteMinder Multiple Vulnerabilities (solution)

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <D7DDF83751235046BFAC82E1244EB4C8081764BD@usilms23.ca.com>
Date: Tue Jul 19 18:23:13 2005
From: James.Williams at ca.com (Williams, James K)
Subject: Re: SiteMinder Multiple Vulnerabilities (solution)

> List:       full-disclosure
> Subject:    SiteMinder Multiple Vulnerabilities
> From:       c0ntex <c0ntexb () gmail ! com>
> Date:       2005-07-08 14:08:53
>
> $ An open security advisory #10 - Siteminder v5.5 
> Vulnerabilities
>
> [...]

This issue is NOT present in out-of-the-box installations of 
SiteMinder.  All supported versions of SiteMinder have an
agent configuration parameter called "CSSChecking" that is,
by default, set to "YES".  A SiteMinder administrator would 
have to intentionally set this parameter to "NO" to become 
vulnerable to this issue.

The "CSSChecking" configuration parameter has been very well 
documented in SiteMinder product documentation since 2001.

This issue is also documented and addressed in a security 
advisory posted in October 2002 at this URL:
(URL may wrap)
https://support.netegrity.com/ocp/custom/productdownload/productdownload
.asp?isNodeGroup=null&ProductNumber=735&ParentId=493&groupType=249

Note that SiteMinder customers should continue to go to 
support.netegrity.com for product support.

Regards,
kw

Ken Williams ; Vulnerability Research 
Computer Associates ; 0xE2941985
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985