Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability
BID:26375
Info
Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability
| Bugtraq ID: | 26375 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-5923 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 07 2007 12:00AM |
| Updated: | Nov 03 2009 04:47PM |
| Credit: | Giuseppe Gottardi is credited with the discovery of this issue. |
| Vulnerable: |
Computer Associates SiteMinder Web Agent 0 Computer Associates SiteMinder 6.0 Computer Associates SiteMinder 0 |
| Not Vulnerable: |
Computer Associates SiteMinder 6QMR5 CR13 |
Discussion
Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability
Computer Associates SiteMinder Web Agent is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
We were not told which versions are affected. We will update this BID as more information emerges.
Computer Associates SiteMinder Web Agent is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
We were not told which versions are affected. We will update this BID as more information emerges.
Exploit / POC
Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URIs are available:
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URIs are available:
Solution / Fix
Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability
Solution:
The vendor has addressed this issue in SiteMinder 6QMR5 CR13 as fix 64059. Please contact the vendor for more information.
Solution:
The vendor has addressed this issue in SiteMinder 6QMR5 CR13 as fix 64059. Please contact the vendor for more information.
References
Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability
References:
References:
- eTrust SiteMinder Homepage (Computer Associates)
- SiteMinder Agent: Cross Site Scripting (Giuseppe Gottardi
)