Computer Associates SiteMinder - '%00' Cross-Site Scripting Protection Security Bypass

Author: Arshan Dabirsiaghi
type: webapps
platform: php
port: 
date_added: 2009-06-08 
date_updated: 2014-05-04 
verified: 1 
codes: CVE-2009-2704;OSVDB-56970 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/36086/info

Computer Associates SiteMinder is prone to a security-bypass vulnerability because it fails to properly validate user-supplied input.

An attacker can exploit this issue to bypass cross-site scripting protections. Successful exploits can aid in further attacks.

We don't know which versions of SiteMinder are affected. We will update this BID when more details become available.

http://www.example.com/app/function?foo=bar%00<script>alert(document.cookie)</script>