[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SiteMinder Access Control Bypass (A091100-1)

Title: SiteMinder Access Control Bypass (A091100-1)
Released by: @stake
Date: 11th September 2000
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



                               @stake Inc.

                            www.atstake.com



                           Security Advisory



Advisory Name: SiteMinder Access Control Bypass (A091100-1)

 Release Date: 09/11/2000

  Application: Netegrity SiteMinder 3.6, 4.0

     Platform: Solaris 2.x, Windows NT

     Severity: Access control mechanism can be bypassed

      Authors: David Litchfield (dlitchfield@atstake.com)

               Mark Litchfield (mlitchfield@atstake.com)

 Contributors: Frank Swiderski (fes@atstake.com)

Vendor Status: Vendor has released a patch

          Web: www.atstake.com/research/advisories/2000/a091100-1.txt





Overview:



Netegrity's SiteMinder

(http://www.netegrity.com/products/siteminder.html) is a web access

control product for Solaris and Windows NT that implements various

authentication mechanisms to protect content on websites.  It

features native integration with industry-standard LDAP, NDS, and

NT directory services as well as SQL databases.



SiteMinder supports more fine-grained access control than is

normally provided by web servers.  For example, user access can be

restricted to the level of buttons or form fields whereas web servers

generally restrict access at the page level.



Due to an error in SiteMinder's URL parsing, it is possible for

an attacker to bypass the authentication phase and view protected web

pages directly.





Detailed Description:



SiteMinder's authentication mechanism can be bypassed by using

a properly crafted URL.  For example, assume the following web page

is protected:



 http://www.mysite.com/cgi-bin/secrets.html



Normally, if someone were to try accessing this page, SiteMinder

would intercept the request and prompt for a username and password

before allowing the user to execute the script and view the results.

However, the user can make a small modification to the URL to avoid

the authentication phase:



 http://www.mysite.com/cgi-bin/secrets.html/$/foo.ccc



When using a URL crafted in this manner, SiteMinder appears to

ignore its access control policy and simply allows the requested page

to be served to the attacker with no further prompting.



This vulnerability can be used not only to view static web pages,

but also to execute CGI applications and to view server-side source

code.  Again, all of these actions can be performed without ever

being prompted for authorization.  Example URLs are as follows:



To execute a CGI application:



 http://www.mysite.com/cgi-bin/restricted.cgi$/foo.ccc?subject=blah



To view the source code for that CGI application:



 http://www.mysite.com/cgi-bin/restricted.cgi/$/foo.ccc



To execute a servlet:



 http://www.mysite.com/applets/restricted/$/foo.ccc?query=blah





In the example URL, the non-existent file "foo.ccc" is used

after the "$/" delimiter; however, any filename can be used here

provided it has an extension of .ccc, .class, or .jpg (and possibly

others that have not yet been discovered).





Vendor Response (received via email from Netegrity):



Netegrity identified and fixed this issue earlier this year. The

issue does not exist in the currently shipping SiteMinder 4.11

product, which has already been distributed to all customers on

maintenance. Customers using previous versions of SiteMinder have

been notified of the issue and alerted that they can download the

patch from the customer support section of the Netegrity web site.

Customers can also call customer service at 800-325-9870 with any

questions or concerns.





Recommendations:



First install the vendor patch.  The patch does *not* fix the

protection of URLs that do not have a file extensions which is

commonly the case for CGI programs and servlets. An example is the

following:



 http://www.mysite.com/applets/restricted



In this case add a file extension so that the patch will work.



 http://www.mysite.com/applets/restricted.applet







For more advisories: http://www.atstake.com/research/index.html

PGP Key: http://www.atstake.com/research/pgp_key.asc



Copyright 2000 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----

Version: PGP 6.5.8



iQA/AwUBObzUJFESXwDtLdMhEQIN7ACcDOTd1yzs9Tj+QNeylT3zHY3clnMAoJ83

wjBdhSk2Qbq6/6klpyOKClN5

=I27D

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.