[转载]Netegrity SiteMinder smpwservicescgi.exe Target Redirection

信息来源：www.securiteam.com

Summary
Netegrity SiteMinder enables "companies to administer and consistently enforce user access to Web applications and by providing single sign-on (SSO) services to users".

Due to improper filtering of user provided data, a remote attacker can cause the Netegrity SiteMinder's smpwservicescgi.exe CGI to redirect a user to a third party site, which in turn can be used in phishing attacks.

Credit:
The information has been provided by Marc Ruef.
The original article can be found at: http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1022

Details
Netegrity's SiteMinder has a CGI called smpservicecgi.exe, which is used to authenticate a user prior to allowing him to access a restricted web page. One of this CGI's parameters allow the redirection of the user to a web site once the authentication process has been successful. This parameter however, does not check to which web site the user is redirected. This allows an attacker to redirect the user to whatever site he desires, while the user thinks this is the natural course of the logon process.

Exploit:
The following URL will illustrate the attack, once the user has successfully/unsuccessfully logged on he will be redirected to the http://www.google.com web site:
http://vulnerable/siteminderagen ... fwww%2google%2eccom