CA Service Management

  • 1.  UploadServlet Open Redirect Vulnarability

    Posted Mar 27, 2017 03:58 AM

    Hello, during penetration test client discovered uploadservlet vulnerability. According to report the link used to download attachments can be modified in order to construct link that looks valid and trusted by the user, but redirects to malicious web site. You can use the following link to mount this type of attack and redirect user to CA website

     

    http://sdmhost/CAisd/UploadServlet?Bpsid=1&retURL=https://www.ca.com?&ServerName=sdmhost&AttmntId=66677

     

     

    In order for attack to be successful AttmntId parameter value in the link should point to not existing attachment id.

     

    We where able to reproduce this in our test lab. We have contacted CA support, but their security team does not think that this is vulnerability and according to them there is no risk if https is used. We already have https setup, and to be honest I do not understand how this can help to protect from attack especially if attack is mounted by insider. As far as I know Upload servlet does not support any parameter validation. Can anyone suggest how we can mitigate this vulnerability.



  • 2.  Re: UploadServlet Open Redirect Vulnarability

    Posted Mar 27, 2017 07:57 AM

    It looks like a oversight and bad practice - this is referenced in the Unvalidated Redirects and Forwards Cheat Sheet - OWASP page. By the looks of it, the UploadServlet does not validate the retUrl parameter, but seems to validate the other parameters (attmntId and ServerName).

    Although not a vulnerability per-se, since the 'retUrl' is automatically added by SDM and it's not a link exposed directly, this 'feature' might be used to trick an User to go to phishing site (for instance). However, a simpler 'attack' from an insider is to simply add a link to a maliciuos site directly from attachments tab via the Add Url.



  • 3.  Re: UploadServlet Open Redirect Vulnarability

    Posted Mar 27, 2017 08:07 AM

    In theory I can generate this link to any SDM instance that is exposed to internet. And send phishing email to end users.



  • 4.  Re: UploadServlet Open Redirect Vulnarability

    Posted Mar 27, 2017 09:02 AM

    yep and must not be a big work fo Dev to fix

    I can see in the class that there is no validation of the retURl and that the response is created directly from it

     

    Having CA modifying few lines for  validation in the UploadAttachment.class may quickly do the trick

     

    public String getRetURL()
    {
    return this.retURL;
    }

    My 2 cents

    /J



  • 5.  Re: UploadServlet Open Redirect Vulnarability

    Posted Mar 27, 2017 08:57 AM

    Agree Cristi, but  the difference with the Add URL is that the destination address you are redirected to will be visible to the users and eventually catch by your security gateway vs. be phished and appears t o be SDM for the users in the example above and more difficult to get catch by your gateway (either if good one is supposed to)

    Note that the above used with SDM having SSO setup make it  worse as you can simply send a phishy email  to the end users for him to supposely follow on a ticket as an example and direct him  to the page of your choice 

    I still see Gutis to have a valid point

    My 2 cents

    /J 



  • 6.  Re: UploadServlet Open Redirect Vulnarability

    Broadcom Employee
    Posted Mar 27, 2017 09:08 AM

    Hi folks,


    Let me follow up on this further internally to see how we can get this handled properly.

     

    Thank you

    _R



  • 7.  Re: UploadServlet Open Redirect Vulnarability

    Broadcom Employee
    Posted Mar 28, 2017 04:44 PM

    Just to update, I'm still working on this item with our product management and engineering teams. 

     

    It might be a few days before I have anything new on it.

     

    thx

    _R



  • 8.  Re: UploadServlet Open Redirect Vulnarability

    Broadcom Employee
    Posted Mar 29, 2017 12:25 PM

    Is there a CA Support ticket associated with this vulnerability?



  • 9.  Re: UploadServlet Open Redirect Vulnarability

    Broadcom Employee
    Posted Mar 30, 2017 05:46 PM

    hey Paul,

     

    Yes, there is one.  We have raised a formal defect with our product development team for further pursual on this item.

     

    _R