|
Brought to you by:
Suppliers of:
|
|
|
| |
| The Citrix MetaFrame Access Suite is a product that enables users to access enterprise applications and information on demand. MetaFrame XP is vulnerable to a Cross-Site Scripting attack based on the manipulation of error messages sent to user's web browser. |
| |
Credit:
The information has been provided by IRM Advisories.
|
| |
Vulnerable systems:
* Citrix MetaFrame XP 1.0
* Web Interface 2.0
During a recent penetration test, IRM identified a machine running Citrix MetaFrame XP that prompted for authentication credentials. When 'random' credentials were supplied, a page was returned displaying the following error:
"ERROR: The credentials supplied were invalid. Please try again."
The text used to construct this error message formed part of the URL:
https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_
MessageType=Error&NFuse_Message=Thex0020credentialsx0020suppliedx0020werex00
20invalidx002ex0020x0020Pleasex0020tryx0020againx002e
If the URL was changed to the following:
https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_
MessageType=Error&NFuse_Message=< SCRIPT>alert("Vulnerable to XSS")</SCRIPT>
The server processed the HTML and executed the JavaScript on the user's browser.
Citrix were contacted and immediately confirmed that this was indeed a security issue and set about producing a patch to include in the next update for the product.
Vendor & Patch Information:
Citrix were contacted on August 18th 2003 and released the update on October 2nd 2003, which can be downloaded from http://www.mycitrix.com.
Workarounds:
IRM are not aware of any workarounds for this issue.
|
|
|
|
|
