|
SiteMinder is designed to provide authentication protection for web sites. A specially crafted URL can be used to bypass SiteMinder authentication and access web pages that are supposed to be protected. DEMONSTRATION SiteMinder works by intercepting requests for protected URLs and prompting the user for a username and password. By changing the URL an attacker can not only bypass authentication but also execute a CGI application, view CGI application source code, and execute a servlet. For example, if www.testsite.com/cgi-bin/confidential.html is a protected web site an attacker would simply have to submit the following URL to bypass authentication; www.testsite.com/cgi-bin/confidential.html/$/hack.ccc In order to execute a CGI application the attacker would enter the following; www.testsite.com/cgi-bin/noaccess.cgi$/hack.ccc?subject=test To view the source of a CGI application; www.testsite.com/cgi-bin/noaccess.cgi/$/hack.ccc And finally to execute a servlet the attacker would use; www.testsite.com/applets/noaccess/$/hack.ccc?query=test Note that in the examples the non-existant file hack.ccc is used after the $/ delimeter. Any filename can be used here as long as the ccc, .class, or .jpg file extensions are used. VENDOR RESPONSE According to @stake, Netegrity had fixed this issue earlier in the year and released version 4.11 which is not vulnerable. Netegrity has also notified their customers of this issue. Information from Netegrity is available from their customer support website. CREDIT |
SiteMinder Exposes Protected Web Pages
0 comments
Hide comments
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
Top IT Certifications for a Career in Finance
Apr 12, 2024
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024