lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <550AF57C.7050202@securify.nl>
Date: Thu, 19 Mar 2015 17:12:44 +0100
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: [FD] Citrix Command Center allows downloading of configuration files

------------------------------------------------------------------------
Citrix Command Center allows downloading of configuration files
------------------------------------------------------------------------
Han Sahin, August 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Citrix Command Center stores configuration files
containing credentials of managed devices within a folder accessible
through the web server. Unauthenticated attackers can download any
configuration file stored in this folder, decode passwords stored in
these files, and gain privileged access to devices managed by Command
Center.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was discovered in Citrix Command Center 5.1 build 33.3
(including patch CC_SP_5.2_40_1.exe), other versions may also be
vulnerable.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Citrix reports that this vulnerability is fixed in Command Center 5.2
build 42.7, which can be downloaded from the following location (login
required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html

Citrix assigned BUG0493933 to this issue.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ