NI3
11-03-2003, 09:09 AM
Security-Corporation ID : SC-0720
Author : IRM Advisories <[Only registered and activated users can see links]>
Product : Citrix Metaframe XP 1.0
----------------------------------------------------------------------------
IRM Security Advisory No. 008
Citrix Metaframe XP is vulnerable to Cross Site Scripting
Vulnerablity Type / Importance: XSS / Medium
Problem discovered: August 18th 2003
Vendor contacted: August 18th 2003
Advisory published: October 31st 2003
----------------------------------------------------------------------------
Abstract:
The Citrix MetaFrame Access Suite is a product that enables users to access enterprise applications and information on demand. Metaframe XP is vulnerable to a Cross-Site Scripting attack based on the manipulation of error messages sent to user's web browser.
Description:
During a recent penetration test IRM identified a machine running Citrix Metaframe XP that prompted for authentication credentials. When 'random' credentials were supplied, a page was returned displaying the following error:
"ERROR: The credentials supplied were invalid. Please try again."
The text used to construct this error message formed part of the URL:
[Only registered and activated users can see links]
NFuse_LogoutId=On&NFuse_MessageType=Error&NF
use_Message=Thex0020credentialsx0020suppliedx00
20werex0020invalidx002ex0020x0020Pleasex0020tryx
0020againx002e
If the URL was changed to the following:
[Only registered and activated users can see links]
NFuse_LogoutId=On&NFuse_MessageType=Error&NF
use_Message=<SCRIPT>alert("Vulnerable to XSS")
</SCRIPT>
the server processed the HTML and executed the javascript on the user's browser.
Citrix were contacted and immediately confirmed that this was indeed a security issue and set about producing a patch to include in the next update for the product.
Tested Versions:
Citrix Metaframe XP 1.0
Web Interface 2.0
Tested Operating Systems:
Microsoft Windows 2000
Vendor & Patch Information:
Citrix were contacted on August 18th 2003 and released the update on October 2nd 2003, which can be downloaded from [Only registered and activated users can see links]
Workarounds:
IRM are not aware of any workarounds for this issue.
Credits:
Research & Advisory: Andy Davis
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.
----------------------------------------------------------------------------
Information Risk Management Plc.
22 Buckingham Gate
London
SW1E 6LB
+44 (0)207 808 6420
Author : IRM Advisories <[Only registered and activated users can see links]>
Product : Citrix Metaframe XP 1.0
----------------------------------------------------------------------------
IRM Security Advisory No. 008
Citrix Metaframe XP is vulnerable to Cross Site Scripting
Vulnerablity Type / Importance: XSS / Medium
Problem discovered: August 18th 2003
Vendor contacted: August 18th 2003
Advisory published: October 31st 2003
----------------------------------------------------------------------------
Abstract:
The Citrix MetaFrame Access Suite is a product that enables users to access enterprise applications and information on demand. Metaframe XP is vulnerable to a Cross-Site Scripting attack based on the manipulation of error messages sent to user's web browser.
Description:
During a recent penetration test IRM identified a machine running Citrix Metaframe XP that prompted for authentication credentials. When 'random' credentials were supplied, a page was returned displaying the following error:
"ERROR: The credentials supplied were invalid. Please try again."
The text used to construct this error message formed part of the URL:
[Only registered and activated users can see links]
NFuse_LogoutId=On&NFuse_MessageType=Error&NF
use_Message=Thex0020credentialsx0020suppliedx00
20werex0020invalidx002ex0020x0020Pleasex0020tryx
0020againx002e
If the URL was changed to the following:
[Only registered and activated users can see links]
NFuse_LogoutId=On&NFuse_MessageType=Error&NF
use_Message=<SCRIPT>alert("Vulnerable to XSS")
</SCRIPT>
the server processed the HTML and executed the javascript on the user's browser.
Citrix were contacted and immediately confirmed that this was indeed a security issue and set about producing a patch to include in the next update for the product.
Tested Versions:
Citrix Metaframe XP 1.0
Web Interface 2.0
Tested Operating Systems:
Microsoft Windows 2000
Vendor & Patch Information:
Citrix were contacted on August 18th 2003 and released the update on October 2nd 2003, which can be downloaded from [Only registered and activated users can see links]
Workarounds:
IRM are not aware of any workarounds for this issue.
Credits:
Research & Advisory: Andy Davis
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.
----------------------------------------------------------------------------
Information Risk Management Plc.
22 Buckingham Gate
London
SW1E 6LB
+44 (0)207 808 6420