COMMAND

    SiteMinder

SYSTEMS AFFECTED

    Netegrity SiteMinder 3.6, 4.0

PROBLEM

    Following  is  based  on  a  @stake  Security  Advisory  by  David
    Litchfield and Mark Litchfield.   Netegrity's SiteMinder is a  web
    access control product for Solaris and Windows NT that  implements
    various authentication mechanisms to protect content on  websites.
    It features native  integration with industry-standard  LDAP, NDS,
    and NT directory services as well as SQL databases.

    SiteMinder  supports  more  fine-grained  access  control  than is
    normally provided by web servers.  For example, user access can be
    restricted to  the level  of buttons  or form  fields whereas  web
    servers generally restrict access at the page level.

    Due to an  error in SiteMinder's  URL parsing, it  is possible for
    an attacker to bypass the authentication phase and view  protected
    web pages directly.

    SiteMinder's  authentication  mechanism  can  be bypassed by using
    a properly  crafted URL.   For example,  assume the  following web
    page is protected:

        http://www.mysite.com/cgi-bin/secrets.html

    Normally, if someone were  to try accessing this  page, SiteMinder
    would intercept the request and prompt for a username and password
    before  allowing  the  user  to  execute  the  script and view the
    results.  However, the user  can make a small modification  to the
    URL to avoid the authentication phase:

        http://www.mysite.com/cgi-bin/secrets.html/$/foo.ccc

    When using  a URL  crafted in  this manner,  SiteMinder appears to
    ignore its access control  policy and simply allows  the requested
    page to be served to the attacker with no further prompting.

    This vulnerability can be used not only to view static web  pages,
    but  also  to  execute  CGI  applications  and to view server-side
    source code.  Again, all of these actions can be performed without
    ever  being  prompted  for  authorization.   Example  URLs  are as
    follows:

      - To execute a CGI application:
        http://www.mysite.com/cgi-bin/restricted.cgi$/foo.ccc?subject=blah
      - To view the source code for that CGI application:
        http://www.mysite.com/cgi-bin/restricted.cgi/$/foo.ccc
      - To execute a servlet:
        http://www.mysite.com/applets/restricted/$/foo.ccc?query=blah

    In the example URL, the non-existent file "foo.ccc" is used  after
    the  "$/"  delimiter;  however,  any  filename  can  be  used here
    provided  it  has  an  extension  of  .ccc,  .class,  or .jpg (and
    possibly others that have not yet been discovered).

SOLUTION

    Netegrity identified and fixed this issue earlier this year.   The
    issue does  not exist  in the  currently shipping  SiteMinder 4.11
    product, which has  already been distributed  to all customers  on
    maintenance.  Customers using previous versions of SiteMinder have
    been notified of the issue and alerted that they can download  the
    patch from the customer support section of the Netegrity web site.
    Customers can also call customer service at 800-325-9870 with  any
    questions or concerns.

    First install  the vendor  patch.   The patch  does *not*  fix the
    protection of  URLs that  do not  have a  file extensions which is
    commonly the case  for CGI programs  and servlets.   An example is
    the following:

        http://www.mysite.com/applets/restricted

    In this case add a file extension so that the patch will work.

        http://www.mysite.com/applets/restricted.applet