Reported September 11, 2000 by @stake
VERSIONS AFFECTED
- Netegrity SiteMinder 3.6 and 4.0
DESCRIPTION
SiteMinder is designed to provide authentication protection for
web sites. A specially crafted URL can be used to bypass SiteMinder
authentication and access web pages that are supposed to be protected.
DEMONSTRATION
SiteMinder works by intercepting requests
for protected URLs and prompting the user for a username and
password. By changing the URL an attacker can not only bypass
authentication but also execute a CGI application, view CGI application
source code, and execute a servlet. For example, if www.testsite.com/cgi-bin/confidential.html
is a protected web site an attacker would simply have to submit the
following URL to bypass authentication;
www.testsite.com/cgi-bin/confidential.html/$/hack.ccc
In order to execute a CGI application the attacker
would enter the following;
www.testsite.com/cgi-bin/noaccess.cgi$/hack.ccc?subject=test To
view the source of a CGI application;
www.testsite.com/cgi-bin/noaccess.cgi/$/hack.ccc
And finally to execute a servlet the
attacker would use;
www.testsite.com/applets/noaccess/$/hack.ccc?query=test
Note that in the examples the non-existant file
hack.ccc is used after the $/ delimeter. Any filename can be used
here as long as the ccc, .class, or .jpg file extensions are used.
VENDOR RESPONSE
According to @stake, Netegrity had fixed this
issue earlier in the year and released version 4.11 which is not
vulnerable. Netegrity has also notified their customers of this
issue. Information from Netegrity is available from their customer
support website.
CREDIT
Discovered by @stake |