BID:12284

Netegrity SiteMinder HTML Page Injection Vulnerability

Info

Netegrity SiteMinder HTML Page Injection Vulnerability

Bugtraq ID:	12284
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 17 2005 12:00AM
Updated:	Jan 17 2005 12:00AM
Credit:	Discovery is credited to Marc Ruef <[email protected]>.
Vulnerable:	Netegrity SiteMinder 6.0 Netegrity SiteMinder 5.5 Netegrity SiteMinder 4.5.1 SP5 Netegrity SiteMinder 4.5.1 SP1 Netegrity SiteMinder 4.5.1 Netegrity SiteMinder 4.5 Netegrity SiteMinder 4.0 - Microsoft Windows NT 4.0 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.2 - Sun Solaris 2.1 - Sun Solaris 2.0 Netegrity SiteMinder 3.6 - Microsoft Windows NT 4.0 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.2 - Sun Solaris 2.1 - Sun Solaris 2.0

Not Vulnerable:

Discussion

Netegrity SiteMinder HTML Page Injection Vulnerability

Netegrity SiteMinder is reported prone to a vulnerability that may allow an attacker to inject arbitrary HTML pages that may be rendered in a user's browser through a URI link. This issue originates in the 'smpwservicescgi.exe' script and can facilitate arbitrary script execution and other attacks such as phishing.

An attacker can manipulate URI parameters to redirect a user to a potentially malicious Web page after authentication to the server.

All versions of SiteMinder are considered vulnerable at the moment.

Exploit / POC

Netegrity SiteMinder HTML Page Injection Vulnerability

An exploit is not required.

The following proof of concept is available:
https://www.example.com/siteminderagent/pwcgi/smpwservicescgi.exe?TARGET=http%3a%2f%2fwww%2ecomputec%2ech

Solution / Fix

Netegrity SiteMinder HTML Page Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

Netegrity SiteMinder HTML Page Injection Vulnerability

References:

SiteMinder Product Page (Netegrity)
Netegrity SiteMinder smpwservicescgi.exe target specification ("Marc Ruef" )