[NEWS] Citrix Metaframe XP is vulnerable to Cross Site Scripting

From: SecuriTeam (support_at_securiteam.com)
Date: 11/02/03

  • Next message: SecuriTeam: "[TOOL] SIDTk - SecurIT Intrusion Detection Toolkit"
    To: list@securiteam.com
    Date: 2 Nov 2003 19:07:58 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Citrix Metaframe XP is vulnerable to Cross Site Scripting
    ------------------------------------------------------------------------

    SUMMARY

    The Citrix MetaFrame Access Suite is a product that enables users to
    access enterprise applications and information on demand. MetaFrame XP is
    vulnerable to a Cross-Site Scripting attack based on the manipulation of
    error messages sent to user's web browser.

    DETAILS

    Vulnerable systems:
     * Citrix MetaFrame XP 1.0
     * Web Interface 2.0

    During a recent penetration test, IRM identified a machine running Citrix
    MetaFrame XP that prompted for authentication credentials. When 'random'
    credentials were supplied, a page was returned displaying the following
    error:
    "ERROR: The credentials supplied were invalid. Please try again."

    The text used to construct this error message formed part of the URL:
    https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_
    MessageType=Error&NFuse_Message=Thex0020credentialsx0020suppliedx0020werex00
    20invalidx002ex0020x0020Pleasex0020tryx0020againx002e

    If the URL was changed to the following:
    https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_
    MessageType=Error&NFuse_Message=< SCRIPT>alert("Vulnerable to
    XSS")</SCRIPT>

    The server processed the HTML and executed the JavaScript on the user's
    browser.

    Citrix were contacted and immediately confirmed that this was indeed a
    security issue and set about producing a patch to include in the next
    update for the product.

    Vendor & Patch Information:
    Citrix were contacted on August 18th 2003 and released the update on
    October 2nd 2003, which can be downloaded from <http://www.mycitrix.com>
    http://www.mycitrix.com.

    Workarounds:
    IRM are not aware of any workarounds for this issue.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@irmplc.com> IRM
    Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] SIDTk - SecurIT Intrusion Detection Toolkit"

    Relevant Pages

    • [NT] Citrix Metaframe Presentation Server Policies Bypassing
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Presentation Server allows a user bypass Citrix ... policies that have been applied to client name. ...
      (Securiteam)
    • [NT] Citrix MetaFrames Administrator Client Drivers Access
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Access to the drives is granted as the user running the Citrix ... * Citrix MetaFrame XP 1.0 ... customers may wish to apply a Hotfix. ...
      (Securiteam)
    • [NEWS] Firefox Cross-Domain Text Theft
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Firefox Cross-Domain Text Theft ... theft is via cross-domain information leaks in JavaScript error messages ... error messages are made available to the window.onerror handler. ...
      (Securiteam)
    • [REVS] Blindfolded SQL Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... exploiting SQL Injection attacks depended on having the Web ... error messages, assuming this would protect them from SQL Injection ...
      (Securiteam)