Symantec Access Management

Tech Tip : CA Single Sign-On : Open redirect issue smerrorpage

  • 1.  Tech Tip : CA Single Sign-On : Open redirect issue smerrorpage

    Posted 06-07-2018 04:45 AM

    Issue:

     

    We're running a Web Agent, and If a smerrorpage is defined, the smerrorpage parameter can be
    manipulated and the user is redirected to a damaged page in case of an error.

    We can reproduce this with WebAgent 12.52QMR01 (running on Apache 2.4.x or IIS 7.x). On all of these Webagents
    ValidTargetDomain is defined.

     

    Example:

     

    https://abc.domain.com/auth/login.fcc?SMENC=ISO-8859-15&smerrorpage=http://google.com

     

    We need a similar WebAgent parameter like Validtargetdomain=<domain(s)> also for smerrorpage which avoid that 

    the user is redirected to a damaged page outside.

    Environment:

     

    Web Agent 12.52SP1CR05 64bit on Apache 2.4 64bit on Suse 11;
    Web Agent 12.52SP1CR05 64bit on IIS 7.5 64bit on Windows;

    Cause:


    ValidErrorPageDomain ACO parameter has been added to handle this use case.

    validErrorPageDomain parameter supports 2 formats:

     

    a). “.ca.com”;
    b). “.ca.com:8080”

     

    When no port contained in validErrorPageDomain,

    example: “.ca.com”,
    http://www.ca.com is a match.
    http://www.ca.com:8080 is a match.

     

    This implies that any VALID port is a match if host domain matches.

    When port contained in validErrorPageDomain,

    example: “.ca.com:8080”,

    http://www.ca.com is NOT a match.
    http://www.ca.com:8080 is a match.

     

    This implies that the only the whole string “.ca.com:8080” contained

    in the target is a match. Anything else is NOT a match.

     

    Resolution:
    Upgrade the Web Agent to 12.52SP1CR10 as soon as this one will be
    available to get the possibility to use ValidErrorPageDomain ACO parameter

    CA Single Sign-On (formerly called CA SiteMinder)FixStrategy
    https://support.ca.com/phpdocs/7/5262/5262_fixstrategy.pdf


    KB : KB000098423