lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 31 Oct 2003 11:32:06 -0000
From: "IRM Advisories" <advisories@...plc.com>
To: <bugtraq@...urityfocus.com>
Subject: IRM 008: Citrix Metaframe XP is vulnerable to Cross Site Scripting


----------------------------------------------------------------------------
IRM Security Advisory No. 008

Citrix Metaframe XP is vulnerable to Cross Site Scripting

Vulnerablity Type / Importance: XSS / Medium

Problem discovered: August 18th 2003
Vendor contacted: August 18th 2003
Advisory published: October 31st 2003
----------------------------------------------------------------------------


Abstract:

The Citrix MetaFrame Access Suite is a product that enables users to access
enterprise applications and information on demand. Metaframe XP is
vulnerable to a Cross-Site Scripting attack based on the manipulation of
error messages sent to user's web browser.


Description:

During a recent penetration test IRM identified a machine running Citrix
Metaframe XP that prompted for authentication credentials. When 'random'
credentials were supplied, a page was returned displaying the following
error: 

"ERROR: The credentials supplied were invalid. Please try again." 

The text used to construct this error message formed part of the URL:

https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_
MessageType=Error&NFuse_Message=Thex0020credentialsx0020suppliedx0020werex00
20invalidx002ex0020x0020Pleasex0020tryx0020againx002e

If the URL was changed to the following:

https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_
MessageType=Error&NFuse_Message=<SCRIPT>alert("Vulnerable to XSS")</SCRIPT>

the server processed the HTML and executed the javascript on the user's
browser.

Citrix were contacted and immediately confirmed that this was indeed a
security issue and set about producing a patch to include in the next update
for the product.


Tested Versions:

Citrix Metaframe XP 1.0
Web Interface 2.0


Tested Operating Systems:

Microsoft Windows 2000


Vendor & Patch Information:

Citrix were contacted on August 18th 2003 and released the update on October
2nd 2003, which can be downloaded from http://www.mycitrix.com 


Workarounds:

IRM are not aware of any workarounds for this issue.


Credits:

Research & Advisory: Andy Davis 


Disclaimer:

All information in this advisory is provided on an 'as is' 
basis in the hope that it will be useful. Information Risk Management 
Plc is not responsible for any risks or occurrences caused 
by the application of this information.


----------------------------------------------------------------------------

Information Risk Management Plc.
22 Buckingham Gate 
London 
SW1E 6LB
+44 (0)207 808 6420

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ