COMMAND
SiteMinder
SYSTEMS AFFECTED
Netegrity SiteMinder 3.6, 4.0
PROBLEM
Following is based on a @stake Security Advisory by David
Litchfield and Mark Litchfield. Netegrity's SiteMinder is a web
access control product for Solaris and Windows NT that implements
various authentication mechanisms to protect content on websites.
It features native integration with industry-standard LDAP, NDS,
and NT directory services as well as SQL databases.
SiteMinder supports more fine-grained access control than is
normally provided by web servers. For example, user access can be
restricted to the level of buttons or form fields whereas web
servers generally restrict access at the page level.
Due to an error in SiteMinder's URL parsing, it is possible for
an attacker to bypass the authentication phase and view protected
web pages directly.
SiteMinder's authentication mechanism can be bypassed by using
a properly crafted URL. For example, assume the following web
page is protected:
http://www.mysite.com/cgi-bin/secrets.html
Normally, if someone were to try accessing this page, SiteMinder
would intercept the request and prompt for a username and password
before allowing the user to execute the script and view the
results. However, the user can make a small modification to the
URL to avoid the authentication phase:
http://www.mysite.com/cgi-bin/secrets.html/$/foo.ccc
When using a URL crafted in this manner, SiteMinder appears to
ignore its access control policy and simply allows the requested
page to be served to the attacker with no further prompting.
This vulnerability can be used not only to view static web pages,
but also to execute CGI applications and to view server-side
source code. Again, all of these actions can be performed without
ever being prompted for authorization. Example URLs are as
follows:
- To execute a CGI application:
http://www.mysite.com/cgi-bin/restricted.cgi$/foo.ccc?subject=blah
- To view the source code for that CGI application:
http://www.mysite.com/cgi-bin/restricted.cgi/$/foo.ccc
- To execute a servlet:
http://www.mysite.com/applets/restricted/$/foo.ccc?query=blah
In the example URL, the non-existent file "foo.ccc" is used after
the "$/" delimiter; however, any filename can be used here
provided it has an extension of .ccc, .class, or .jpg (and
possibly others that have not yet been discovered).
SOLUTION
Netegrity identified and fixed this issue earlier this year. The
issue does not exist in the currently shipping SiteMinder 4.11
product, which has already been distributed to all customers on
maintenance. Customers using previous versions of SiteMinder have
been notified of the issue and alerted that they can download the
patch from the customer support section of the Netegrity web site.
Customers can also call customer service at 800-325-9870 with any
questions or concerns.
First install the vendor patch. The patch does *not* fix the
protection of URLs that do not have a file extensions which is
commonly the case for CGI programs and servlets. An example is
the following:
http://www.mysite.com/applets/restricted
In this case add a file extension so that the patch will work.
http://www.mysite.com/applets/restricted.applet