-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
CA20100304-01: Security Notice for CA SiteMinder
8 March 2010
AusCERT Security Bulletin Summary
Product: CA SiteMinder
Operating System: Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
CVE Names: CVE-2009-3731
- --------------------------BEGIN INCLUDED TEXT--------------------
CA20100304-01: Security Notice for CA SiteMinder
Issued: March 04, 2010
CA's support is alerting customers to a security risk with CA
SiteMinder. Multiple cross site scripting (XSS) vulnerabilities
exist that can allow a remote attacker to potentially gain
sensitive information. CA has provided guidance to remediate the
The vulnerabilities, CVE-2009-3731, are due to insufficient
validation of input strings. An attacker can potentially steal
network domain credentials by enticing a user to visit a web page
that contains malicious content.
Red Hat Linux
CA SiteMinder 6.0 (SP4 and earlier)
How to determine if the installation is affected
The vulnerability is caused by an issue with the publishing tool
used to create the online help and HTML documentation for older CA
SiteMinder releases (6.0 SP4 and earlier). This vulnerability
affects CA SiteMinder in the following ways:
* HTML versions of the product documentation for SiteMinder can
be deployed on an individual system or through a web server. If
product documentation has been deployed on a web server the
SiteMinder 6.0 installation is vulnerable.
* Online help systems for SiteMinder are deployed and accessible
through a web server. This vulnerability applies to help systems.
In both cases, this vulnerability applies if web access to the
associated web servers has been configured to make use of
non-public (client-specific) information.
* Upgrade Policy Servers to the latest service pack for SiteMinder
6.0. Remove older versions of the product documentation from your
* For Integrated Document sets, if you have deployed the HTML
version of documentation to a web server, move the documentation
to a file server and delete the documentation from the web server.
* For Online Help systems, remove the help systems from the
application folders and place them on a file system for future
reference. Note that this will cause help links to fail in the
The folders that contain help systems are:
o Administrative UI Help:
<policy server home>\admin\help
o Policy Server Management Console Help:
<policy server home>\bin\smconsole-help
o SiteMinder Test Tool Help:
<policy server home>\bin\smtest-help
CVE-2009-3731 - WebWorks Help XSS
CVE-2009-3731 - Daniel Grzelak and Alex Kouzemtchenko of stratsec
Version 1.0: Initial Release
If additional information is required, please contact CA Support
If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
Legal Notice http://www.ca.com/us/legal/
Copyright (c) 2010 CA. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----