|
|
|
|
| |
Credit:
The information has been provided by Martin O'Neal.
|
| |
Vulnerable Systems:
* Citrix Advanced Access Control version 4.0
* Citrix Advanced Access Control version 4.2
* Citrix Access Gateway version 4.5 Advanced Edition
* Citrix Access Gateway version 4.5 Standard Edition
The web portal interface incorporates a collection of .NET scripts, which utilize a session ID contained within cookies. During the authentication sequence the user session is redirected via a HTTP meta refresh header in an HTML response. The browser subsequently uses this within the next GET request (and the referer header field of the next HTTP request), placing the session ID in history files, and both client and server logs. The use of the session ID within the HTML content is made worse by the application not setting the HTTP cache control headers appropriately, which can lead to the HTML content being stored within the local browser cache.
Where this is a particularly problem, is where the web portal is accessed from a shared or public access terminal, such as an Internet Cafe; the very environment that this type of solution is intended for.
If an attacker can gain access to the session ID by any mechanism (such as by recovering it from the local cache or logs), then they will be able to access all the resources that are available to the user.
Strong authentication technology, such as SecurID 2FA, does not protect against this style of attack, as the session ID is generated after the strong authentication process is completed.
Recommendations:
Review the recommendations in the Citrix alert [2]. If possible, upgrade to a version of the Citrix Access Gateway product that does not exhibit this issue.
Until the product is upgraded, consider reviewing you remote access policy to restrict the use of the product in shared-access environments.
References:
[1] http://www.citrix.com/English/ps2/products/product.asp?contentID=15005
[2] http://support.citrix.com/article/CTX113814
CVE Information:
CVE-2007-0011
|
|
|
|
|
