Using a lower authentication scheme protection level set of credentials, we are able to obtain a higher session level only by tampering the target.
This means that we took the form login with protection level 10 and changed TARGET with that from a level 15 resource, and we are able to access the resource(with level 10 credentials (username/password)
Example:
1) Protected the first application (/web3) with forms Auth scheme 1(protection level 10)
2) Protected the second application(/web4) with forms Auth scheme 2(protection level 15)
3) Login to first application with forms Auth scheme 1(protection level 10), and you get redirected to the login page with target:
http://abc.xyz.com/web3/web3.html
http://abc.xyz.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-000a79a9-4abe-1adf-8bf6-18b20aa2d0cb&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=C9rD0gEngOcqLd1DuzcaJYxsAzvC6vkfITJ1xrYtDPC2obzKtMqbnPP5QvcFrpHb&TARGET=-SM-http%3a%2f%2fabc%2exyz%2ecom%2fweb1%2ftest%2epl
4) Once redirected to the form login, change the TARGET parameter in order to land to the second application, protected with Auth scheme 2(protection level 15), and then call the link with the modified TARGET
http://abc.xyz.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-000a79a9-4abe-1adf-8bf6-18b20aa2d0cb&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=C9rD0gEngOcqLd1DuzcaJYxsAzvC6vkfITJ1xrYtDPC2obzKtMqbnPP5QvcFrpHb&TARGET=-SM-http%3a%2f%2fabc8%2exyz%2ecom%2fweb2%2ftest%2epl
5) Enter and submit the credentials and you should be able to access(/web4) using login Auth scheme 1(protection level 10)
How can we resolve this?
Policy Server 12.52 SP1 CR6 on RedHat 6 64bits Webagent 12.52 SP1 CR6 with Apache/2.2.15 64bits on RedHat 6 64bits
The issue has been identified in FCCCompatMode
Set FCCCompatMode to No
KD : KB000117253