Cross-Site Scripting (XSS) Vulnerability in Netegrity IdentityMinder Classification: =============== Level: low-[MED]-high-crit ID: HEXVIEW*2004*07*02*1 Overview: ========= IdentityMinder is an identity and role management product developed by Netegrity (http://www.netegrity.com), a microsoft gold-certified identity and access management partner. Both primary and management web interfaces are vulnerable to classic cross-site scripting (XSS) attacks. Affected products: ================== All tests were performed using Netegrity IdentityMinder Web Edition 5.6 SP2 for Windows, IIS Server, and Netegrity Policy Server V5.5. Possibly all other IdentityMinder releases are vulnerable. Cause and Effect: ================= Although IdentityMinder product employs URL filtering capabilities that disallow using common XSS characters in the URL, it is possible to submit the URL string containing any character using zero-byte string poisoning method. The part of the URL after %00 character is not checked against XSS characters. Management interface is also vulnerable to XSS and does not even require zero-byte poisoning. The vulnerability makes possible to execute scripts in the context of webpage with current IdentityMinder user privileges. It can be used to steal page data, and/or to perform ItentityMinder tasks with the privileges of logged-in user. Demonstration: ============== The problem can be reproduced by entering following the link below (split over several lines for readability). The example link is form action link from ViewGroup search dialog. Please note that you need to replace PUT_*_HERE's with your actual variables. http://PUT_ADDRESS_HERE/idm/PUT_SITE_NAME_HERE/ims_mainconsole_principalpopuphandler.do? searchAttrs0=%25GROUP_NAME%25&searchOperators0=EQUALS&searchFilter0= &searchOrgDN=PUT_DN_HERE&incChildrenOrgFlag=NO&resultsPerPage=10&oid= &imsui_taskstate=RESOLVE_SCOPE&imsui_tpnametosearch=group &numOfExpressions=1%00 Here is another link demonstrating the problem in IdentityMinder management interface. Note that %00 poisoning is not required. http://PUT_ADDRESS_HERE:7001/idmmanage/mobjattr.do?diroid=PUT_OID_HERE &attrname=Group%20Members&mobjtype=2 Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vuln@hexview.com