[NEWS] Citrix Metaframe XP is vulnerable to Cross Site Scripting

From: SecuriTeam (support_at_securiteam.com)
Date: 11/02/03

  • Next message: SecuriTeam: "[TOOL] SIDTk - SecurIT Intrusion Detection Toolkit"
    To: list@securiteam.com
    Date: 2 Nov 2003 19:07:58 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Citrix Metaframe XP is vulnerable to Cross Site Scripting


    The Citrix MetaFrame Access Suite is a product that enables users to
    access enterprise applications and information on demand. MetaFrame XP is
    vulnerable to a Cross-Site Scripting attack based on the manipulation of
    error messages sent to user's web browser.


    Vulnerable systems:
     * Citrix MetaFrame XP 1.0
     * Web Interface 2.0

    During a recent penetration test, IRM identified a machine running Citrix
    MetaFrame XP that prompted for authentication credentials. When 'random'
    credentials were supplied, a page was returned displaying the following
    "ERROR: The credentials supplied were invalid. Please try again."

    The text used to construct this error message formed part of the URL:

    If the URL was changed to the following:
    MessageType=Error&NFuse_Message=< SCRIPT>alert("Vulnerable to

    The server processed the HTML and executed the JavaScript on the user's

    Citrix were contacted and immediately confirmed that this was indeed a
    security issue and set about producing a patch to include in the next
    update for the product.

    Vendor & Patch Information:
    Citrix were contacted on August 18th 2003 and released the update on
    October 2nd 2003, which can be downloaded from <http://www.mycitrix.com>

    IRM are not aware of any workarounds for this issue.


    The information has been provided by <mailto:advisories@irmplc.com> IRM


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] SIDTk - SecurIT Intrusion Detection Toolkit"