Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 008

Citrix Metaframe XP is vulnerable to Cross Site Scripting
Vulnerablity Type / Importance: XSS / Medium

Problem discovered: August 18th 2003
Vendor contacted: August 18th 2003
Advisory published: October 31st 2003

Abstract :
The Citrix MetaFrame Access Suite is a product that enables users to access enterprise applications and information on demand.

Metaframe XP is vulnerable to a Cross-Site Scripting attack based on the manipulation of error messages sent to user's web browser.

Description :
During a recent penetration test IRM identified a machine running Citrix Metaframe XP that prompted for authentication credentials.

When 'random' credentials were supplied, a page was returned displaying the following error:

"ERROR: The credentials supplied were invalid. Please try again."

The text used to construct this error message formed part of the URL:

https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_MessageType=Error&NFuse_Message=

Thex0020credentialsx0020suppliedx0020werex0020invalidx002ex0020x0020Pleasex0020
tryx0020 againx002e

If the URL was changed to the following:

https://server/citrix/metaframexp/default/login.asp?NFuse_LogoutId=On&NFuse_Message
Type=Error&NFuse_Message=

<SCRIPT>alert("Vulnerable to XSS")</SCRIPT>

the server processed the HTML and executed the javascript on the user's browser.

Citrix were contacted and immediately confirmed that this was indeed a security issue and set about producing a patch to include in the next update for the product.

Tested Versions:
Citrix Metaframe XP 1.0

Web Interface 2.0

Tested Operating Systems:

Microsoft Windows 2000

Vendor & Patch Information:
Citrix were contacted on August 18th 2003 and released the update on October 2nd 2003, which can be downloaded from http://www.mycitrix.com

Workarounds:
IRM are not aware of any workarounds for this issue.

Credits :
Research & Advisory: A Davis

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.