Previous Topic: Protection Levels not Working when the FCCCompatMode Value is Yes and Application Request Routing is Used (153058, 150865)Next Topic: Bad TARGET Characters Documentation (154505, 154518)

Release NotesWeb Agent Release NotesDefects Fixedr12.0.3.09 Agents for IIS with ARR in Classic Pipeline Mode not Prompting for Credentials (154054)Potential Header Injection for smpwservices.fcc (154517, 154468)

Potential Header Injection for smpwservices.fcc (154517, 154468)

Symptom:

Malicious smerrorpage parameter can be injected because the error page was not validated.

Solution:

This issue is fixed. Use the following agent parameter to validate the domains of error pages:

ValidErrorPageDomain

Specifies a list of valid domains for customized SiteMinder error pages. SiteMinder only redirects users to custom error pages when the domain of the error page appears in this parameter. If the domain is not listed, then a blank error page is displayed and a corresponding unauthorized message (such as smpwservices.unauth) is returned.

Default: None (no domains listed).

STAR Issue #: 20628512:01