Open redirect issue smerrorpage

Document ID : KB000098423
Last Modified Date : 07/06/2018
Show Technical Document Details
Issue:
We're running a Web Agent, and If a smerrorpage is defined, the smerrorpage parameter can be 
manipulated and the user is redirected to a damaged page in case of  an error.

We can reproduce this with WebAgent 12.52QMR01 (running on Apache 2.4.x or IIS 7.x). On all of these Webagents 
  ValidTargetDomain is defined.  

  Example: 
  https://abc.domain.com/auth/login.fcc?SMENC=ISO-8859-15&smerrorpage=http://google.com

We need a similar WebAgent parameter like Validtargetdomain=<domain(s)> also for smerrorpage which avoid that 
the user is redirected to a damaged page outside. 
 
Environment:
  Web Agent 12.52SP1CR05 64bit on Apache 2.4 64bit on Suse 11; 
  Web Agent 12.52SP1CR05 64bit on IIS 7.5 64bit on Windows; 
 
Cause:
ValidErrorPageDomain ACO parameter has been added to handle this use case.

validErrorPageDomain parameter supports 2 formats:
a). “.ca.com”;
b). “.ca.com:8080”

When no port contained in validErrorPageDomain,

example: “.ca.com”,
http://www.ca.com is a match. 
http://www.ca.com:8080 is a match.

This implies that any VALID port is a match if host domain matches.

When port contained in validErrorPageDomain,

example: “.ca.com:8080”,

http://www.ca.com is NOT a match. 
http://www.ca.com:8080 is a match.

This implies that the only the whole string “.ca.com:8080” contained
in the target is a match. Anything else is NOT a match.
Resolution:
  Upgrade the Web Agent to 12.52SP1CR10 as soon as this one will be
  available to get the possibility to use ValidErrorPageDomain ACO parameter

  CA Single Sign-On (formerly called CA SiteMinder)FixStrategy 
  https://support.ca.com/phpdocs/7/5262/5262_fixstrategy.pdf