SiteMinder Exposes Protected Web Pages

Reported September 11, 2000 by @stake

VERSIONS AFFECTED

DESCRIPTIONSiteMinder is designed to provide authentication protection for web sites.  A specially crafted URL can be used to bypass SiteMinder authentication and access web pages that are supposed to be protected.

DEMONSTRATION

SiteMinder works by intercepting requests for protected URLs and prompting the user for a username and password.  By changing the URL an attacker can not only bypass authentication but also execute a CGI application, view CGI application source code, and execute a servlet.  For example, if www.testsite.com/cgi-bin/confidential.html is a protected web site an attacker would simply have to submit the following URL to bypass authentication; 

www.testsite.com/cgi-bin/confidential.html/$/hack.ccc

In order to execute a CGI application the attacker would enter the following; 

www.testsite.com/cgi-bin/noaccess.cgi$/hack.ccc?subject=test

To view the source of a CGI application;  

www.testsite.com/cgi-bin/noaccess.cgi/$/hack.ccc

And finally to execute a servlet the attacker would use;  

www.testsite.com/applets/noaccess/$/hack.ccc?query=test

Note that in the examples the non-existant file hack.ccc is used after the $/ delimeter.  Any filename can be used here as long as the ccc, .class, or .jpg file extensions are used. 

VENDOR RESPONSE

According to @stake, Netegrity had fixed this issue earlier in the year and released version 4.11 which is not vulnerable.  Netegrity has also notified their customers of this issue.  Information from Netegrity is available from their customer support website.

CREDITDiscovered by @stake