lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D7DDF83751235046BFAC82E1244EB4C8081764BD@usilms23.ca.com>
Date: Tue Jul 19 18:23:13 2005
From: James.Williams at ca.com (Williams, James K)
Subject: Re: SiteMinder Multiple Vulnerabilities (solution)


> List:       full-disclosure
> Subject:    SiteMinder Multiple Vulnerabilities
> From:       c0ntex <c0ntexb () gmail ! com>
> Date:       2005-07-08 14:08:53
>
> $ An open security advisory #10 - Siteminder v5.5 
> Vulnerabilities
>
> [...]

This issue is NOT present in out-of-the-box installations of 
SiteMinder.  All supported versions of SiteMinder have an
agent configuration parameter called "CSSChecking" that is,
by default, set to "YES".  A SiteMinder administrator would 
have to intentionally set this parameter to "NO" to become 
vulnerable to this issue.

The "CSSChecking" configuration parameter has been very well 
documented in SiteMinder product documentation since 2001.

This issue is also documented and addressed in a security 
advisory posted in October 2002 at this URL:
(URL may wrap)
https://support.netegrity.com/ocp/custom/productdownload/productdownload
.asp?isNodeGroup=null&ProductNumber=735&ParentId=493&groupType=249

Note that SiteMinder customers should continue to go to 
support.netegrity.com for product support.

Regards,
kw
                                                           
Ken Williams ; Vulnerability Research 
Computer Associates ; 0xE2941985
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ