Privacy Violation :Directory Traversal/Browsing:Remediation Technique

Document ID:  TEC1055274
Last Modified Date:  08/08/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Components

  • SITEMINDER -WEB AGENT FOR IIS:SMIIS
  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
Introduction:

How to configure CA SSO web agent to prevent directory traversal ?

Background:

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Environment:
CA SSO Web Agent : ANY
Instructions:
  • This vulnerability is best addressed at the web server level by disabling the directory browsing functionality.

  • The web agent/web server should be configured to run as user having restricted permission enough to just access the required files. They should never be run as privileged user (e.g root user in unix based systems)

  • Configure BadURLChars to include "./" and "/." characters ( these are included by default)

  • KB : https://support.ca.com/us/knowledge-base-articles.tec478518.html

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >