Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SiteMinder Multiple Vulnerabilities (solution)

from [Williams, James K] Network Security [Permanent Link]
Subject: Re: SiteMinder Multiple Vulnerabilities (solution)
Date: Tue, 19 Jul 2005 13:24:39 -0400 


List:       bugtraq
Subject:    SiteMinder Multiple Vulnerabilities
From:       c0ntex <c0ntexb () gmail ! com>
Date:       2005-07-08 14:03:11

$ An open security advisory #10 - Siteminder v5.5 
Vulnerabilities

[...]


This issue is NOT present in out-of-the-box installations of 
SiteMinder.  All supported versions of SiteMinder have an
agent configuration parameter called "CSSChecking" that is,
by default, set to "YES".  A SiteMinder administrator would 
have to intentionally set this parameter to "NO" to become 
vulnerable to this issue.

The "CSSChecking" configuration parameter has been very well 
documented in SiteMinder product documentation since 2001.

This issue is also documented and addressed in a security 
advisory posted in October 2002 at this URL:
(URL may wrap)
https://support.netegrity.com/ocp/custom/productdownload/productdownload
.asp?isNodeGroup=null&ProductNumber=735&Pare ntId=493&groupType=249

Note that SiteMinder customers should continue to go to 
support.netegrity.com for product support.

Regards,
kw
                                                           
Ken Williams ; Vulnerability Research 
Computer Associates ; 0xE2941985
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: SiteMinder Multiple Vulnerabilities (solution), Williams, James K <=
Previous by Date:  Re: On classifying attacks, Crispin Cowan
Next by Date:  Re: Installation of software, and security. . ., Jason Coombs
Previous by Thread:  Oracle Security Advisory: Overwrite any file via desname in Oracle Reports, ak
Next by Thread:  Oracle Security Advisory: Run any OS Command via unauthorized Oracle Forms, ak
Indexes:  [Date] [Thread] [Top] [All Lists]