TUCoPS :: Web :: General :: bt1607.txt

Citrix Metaframe XP is vulnerable to Cross Site Scripting 


-------------------------------------------------------------------------=
---
IRM Security Advisory No. 008

Citrix Metaframe XP is vulnerable to Cross Site Scripting

Vulnerablity Type / Importance: XSS / Medium

Problem discovered: August 18th 2003
Vendor contacted: August 18th 2003
Advisory published: October 31st 2003
-------------------------------------------------------------------------=
---


Abstract:

The Citrix MetaFrame Access Suite is a product that enables users to =
access
enterprise applications and information on demand. Metaframe XP is
vulnerable to a Cross-Site Scripting attack based on the manipulation of
error messages sent to user's web browser.


Description:

During a recent penetration test IRM identified a machine running Citrix
Metaframe XP that prompted for authentication credentials. When 'random'
credentials were supplied, a page was returned displaying the following
error:=20

"ERROR: The credentials supplied were invalid. Please try again."=20

The text used to construct this error message formed part of the URL:

https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=3DOn&N=
Fuse_
MessageType=3DError&NFuse_Message=3DThex0020credentialsx0020suppliedx0020=
werex00
20invalidx002ex0020x0020Pleasex0020tryx0020againx002e

If the URL was changed to the following:

https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=3DOn&N=
Fuse_
MessageType=3DError&NFuse_Message=3D<SCRIPT>alert("Vulnerable to =
XSS")</SCRIPT>

the server processed the HTML and executed the javascript on the user's
browser.

Citrix were contacted and immediately confirmed that this was indeed a
security issue and set about producing a patch to include in the next =
update
for the product.


Tested Versions:

Citrix Metaframe XP 1.0
Web Interface 2.0


Tested Operating Systems:

Microsoft Windows 2000


Vendor & Patch Information:

Citrix were contacted on August 18th 2003 and released the update on =
October
2nd 2003, which can be downloaded from http://www.mycitrix.com=20


Workarounds:

IRM are not aware of any workarounds for this issue.


Credits:

Research & Advisory: Andy Davis=20


Disclaimer:

All information in this advisory is provided on an 'as is'=20
basis in the hope that it will be useful. Information Risk Management=20
Plc is not responsible for any risks or occurrences caused=20
by the application of this information.


-------------------------------------------------------------------------=
---

Information Risk Management Plc.
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420

=20
=20

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH