Patrick-Dussault

Tech Tip : CA Single Sign-On : Open redirect issue smerrorpage

Discussion created by Patrick-Dussault Employee on Jun 7, 2018

Issue:

 

We're running a Web Agent, and If a smerrorpage is defined, the smerrorpage parameter can be
manipulated and the user is redirected to a damaged page in case of an error.

We can reproduce this with WebAgent 12.52QMR01 (running on Apache 2.4.x or IIS 7.x). On all of these Webagents
ValidTargetDomain is defined.

 

Example:

 

https://abc.domain.com/auth/login.fcc?SMENC=ISO-8859-15&smerrorpage=http://google.com

 

We need a similar WebAgent parameter like Validtargetdomain=<domain(s)> also for smerrorpage which avoid that 

the user is redirected to a damaged page outside.

Environment:

 

Web Agent 12.52SP1CR05 64bit on Apache 2.4 64bit on Suse 11;
Web Agent 12.52SP1CR05 64bit on IIS 7.5 64bit on Windows;

Cause:


ValidErrorPageDomain ACO parameter has been added to handle this use case.

validErrorPageDomain parameter supports 2 formats:

 

a). “.ca.com”;
b). “.ca.com:8080”

 

When no port contained in validErrorPageDomain,

example: “.ca.com”,
http://www.ca.com is a match.
http://www.ca.com:8080 is a match.

 

This implies that any VALID port is a match if host domain matches.

When port contained in validErrorPageDomain,

example: “.ca.com:8080”,

http://www.ca.com is NOT a match.
http://www.ca.com:8080 is a match.

 

This implies that the only the whole string “.ca.com:8080” contained

in the target is a match. Anything else is NOT a match.

 

Resolution:
Upgrade the Web Agent to 12.52SP1CR10 as soon as this one will be
available to get the possibility to use ValidErrorPageDomain ACO parameter

CA Single Sign-On (formerly called CA SiteMinder)FixStrategy
https://support.ca.com/phpdocs/7/5262/5262_fixstrategy.pdf


KB : KB000098423

Outcomes