SiteMinder is designed to provide authentication protection for web sites. A specially crafted URL can be used to bypass SiteMinder authentication and access web pages that are supposed to be protected.
SiteMinder works by intercepting requests for protected URLs and prompting the user for a username and password. By changing the URL an attacker can not only bypass authentication but also execute a CGI application, view CGI application source code, and execute a servlet. For example, if www.testsite.com/cgi-bin/confidential.html is a protected web site an attacker would simply have to submit the following URL to bypass authentication;
In order to execute a CGI application the attacker would enter the following;
To view the source of a CGI application;
And finally to execute a servlet the attacker would use;
Note that in the examples the non-existant file hack.ccc is used after the $/ delimeter. Any filename can be used here as long as the ccc, .class, or .jpg file extensions are used.
According to @stake, Netegrity had fixed this issue earlier in the year and released version 4.11 which is not vulnerable. Netegrity has also notified their customers of this issue. Information from Netegrity is available from their customer support website.