Issue:
We're running a Web Agent, and If a smerrorpage is defined, the smerrorpage parameter can be
manipulated and the user is redirected to a damaged page in case of an error.
We can reproduce this with WebAgent 12.52QMR01 (running on Apache 2.4.x or IIS 7.x). On all of these Webagents
ValidTargetDomain is defined.
Example:
https://abc.domain.com/auth/login.fcc?SMENC=ISO-8859-15&smerrorpage=http://google.com
We need a similar WebAgent parameter like Validtargetdomain=<domain(s)> also for smerrorpage which avoid that
the user is redirected to a damaged page outside.
Environment:
Web Agent 12.52SP1CR05 64bit on Apache 2.4 64bit on Suse 11;
Web Agent 12.52SP1CR05 64bit on IIS 7.5 64bit on Windows;
Cause:
ValidErrorPageDomain ACO parameter has been added to handle this use case.
validErrorPageDomain parameter supports 2 formats:
a). “.ca.com”;
b). “.ca.com:8080”
When no port contained in validErrorPageDomain,
example: “.ca.com”,
http://www.ca.com is a match.
http://www.ca.com:8080 is a match.
This implies that any VALID port is a match if host domain matches.
When port contained in validErrorPageDomain,
example: “.ca.com:8080”,
http://www.ca.com is NOT a match.
http://www.ca.com:8080 is a match.
This implies that the only the whole string “.ca.com:8080” contained
in the target is a match. Anything else is NOT a match.
Resolution:
Upgrade the Web Agent to 12.52SP1CR10 as soon as this one will be
available to get the possibility to use ValidErrorPageDomain ACO parameter
CA Single Sign-On (formerly called CA SiteMinder)FixStrategy
https://support.ca.com/phpdocs/7/5262/5262_fixstrategy.pdf
KB : KB000098423