lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 18 Mar 2010 18:38:45 +0530
From: Phani <pklanka@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Citrix Web interface - Source code disclosure?

Hello all,

This is with regard to the methodology that Citrix Web interface 4.5.1
employs to parse the JavaScript files.

The JavaScript files in the ClientScripts folder of the web interface
contain ASP.NET code. These files are referenced (using include functions)
in the Citrix ASPX files for the parsing of ASP.NET content within the JS
files. The resultant JavaScript content after parsing is represented inline
within the ASPX page in the browser between script tags. (Process is more
sort of like parsing of include files header.inc and footer.inc present in
the include folder).

The vulnerability lies wherein remote users can access
the JavaScript files in the Clientscripts folder with ASP.NET source code,
directly in the browser. Such files appear in the Content-Type: Text/HTML
and disclose the ASP.NET code in the files. The examples of location of such
files are below:

1. /AccessPlatform/auth/clientscripts/cookies.js
2. /AccessPlatform/auth/clientscripts/login.js

My question here is if the ASP.NET source code (server side script) is
presented to the web browser, are we looking at a source code disclosure
vulnerability in the Web Interface 4.5.1?

What would be the remediation steps in this case? Block the access to
ClientScripts folder?

And just wanted to ask if any one here knows any vendor patch to this issue?

regards
Phani

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ