Re: SiteMinder Multiple Vulnerabilities (solution)

["Williams, James K" <James.Williams () ca com>]

> List:       full-disclosure
> Subject:    SiteMinder Multiple Vulnerabilities
> From:       c0ntex <c0ntexb () gmail ! com>
> Date:       2005-07-08 14:08:53
>
> $ An open security advisory #10 - Siteminder v5.5 
> Vulnerabilities
>
> [...]

This issue is NOT present in out-of-the-box installations of 
SiteMinder.  All supported versions of SiteMinder have an
agent configuration parameter called "CSSChecking" that is,
by default, set to "YES".  A SiteMinder administrator would 
have to intentionally set this parameter to "NO" to become 
vulnerable to this issue.

The "CSSChecking" configuration parameter has been very well 
documented in SiteMinder product documentation since 2001.

This issue is also documented and addressed in a security 
advisory posted in October 2002 at this URL:
(URL may wrap)
https://support.netegrity.com/ocp/custom/productdownload/productdownload
.asp?isNodeGroup=null&ProductNumber=735&ParentId=493&groupType=249

Note that SiteMinder customers should continue to go to 
support.netegrity.com for product support.

Regards,
kw
                                                           
Ken Williams ; Vulnerability Research 
Computer Associates ; 0xE2941985
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/