Authentication Scheme Protection Level Ignored When Changing The TARGET Parameter of Login FCC

Document ID : KB000117253
Last Modified Date : 10/10/2018
Show Technical Document Details
Issue:
Using a lower authentication scheme protection level set of credentials, we are able to obtain a higher session level only by tampering the target. 

This means that we took the form login with protection level 10 and changed TARGET with that from a level 15 resource, and we are able to access the resource(with level 10 credentials (username/password) 


Example: 

1) Protected the first application (/web3) with forms Auth scheme 1(protection level 10) 

2) Protected the second application(/web4) with forms Auth scheme 2(protection level 15) 

3) Login to first application with forms Auth scheme 1(protection level 10), andd you get redirected to login page with target: 

http://abc.xyz.com/web3/web3.html 

http://abc.xyz.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-000a79a9-4abe-1adf-8bf6-18b20aa2d0cb&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=C9rD0gEngOcqLd1DuzcaJYxsAzvC6vkfITJ1xrYtDPC2obzKtMqbnPP5QvcFrpHb&TARGET=-SM-http%3a%2f%2fabc%2exyz%2ecom%2fweb1%2ftest%2epl

4) Once redirected to the form login, change the TARGET parameter in order to land to second application, protected with Auth scheme 2(protection level 15), and then call the link with the modified TARGET 

http://abc.xyz.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-000a79a9-4abe-1adf-8bf6-18b20aa2d0cb&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=C9rD0gEngOcqLd1DuzcaJYxsAzvC6vkfITJ1xrYtDPC2obzKtMqbnPP5QvcFrpHb&TARGET=-SM-http%3a%2f%2fabc8%2exyz%2ecom%2fweb2%2ftest%2epl

5) Enter and submit the credentials and you should be able to access(/web4) using login Auth scheme 1(protection level 10) 


How can we resolve this?
Environment:
Policy Server 12.52 SP1 CR6 on RedHat 6 64bits 
Webagent 12.52 SP1 CR6 with Apache/2.2.15 64bits on RedHat 6 64bits 
Cause:
The issue has been identified in FCCCompatMode 
Resolution:
Set FCCCompatMode to No