CA eTrust SiteMinder login.fcc Arbitrary iframe Injection

2005-07-08T10:15:20
ID OSVDB:17810
Type osvdb
Reporter OSVDB
Modified 2005-07-08T10:15:20

Description

Technical Description

All supported versions of SiteMinder have an agent configuration parameter called "CSSChecking" that is, by default, set to "YES". A SiteMinder administrator would have to intentionally set this parameter to "NO" to become vulnerable to this issue.

References:

Secunia Advisory ID:15956 Related OSVDB ID: 17809 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0462.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0112.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0163.html