AnsweredAssumed Answered

UploadServlet Open Redirect Vulnarability

Question asked by Gutis Champion on Mar 27, 2017
Latest reply on Mar 30, 2017 by Raghu.Rudraraju

Hello, during penetration test client discovered uploadservlet vulnerability. According to report the link used to download attachments can be modified in order to construct link that looks valid and trusted by the user, but redirects to malicious web site. You can use the following link to mount this type of attack and redirect user to CA website

 

http://sdmhost/CAisd/UploadServlet?Bpsid=1&retURL=https://www.ca.com?&ServerName=sdmhost&AttmntId=66677

 

 

In order for attack to be successful AttmntId parameter value in the link should point to not existing attachment id.

 

We where able to reproduce this in our test lab. We have contacted CA support, but their security team does not think that this is vulnerability and according to them there is no risk if https is used. We already have https setup, and to be honest I do not understand how this can help to protect from attack especially if attack is mounted by insider. As far as I know Upload servlet does not support any parameter validation. Can anyone suggest how we can mitigate this vulnerability.

Outcomes