[23958] in bugtraq
RE: Citrix NFuse 1.6
daemon@ATHENA.MIT.EDU (steven.sporen@za.pwcglobal.com)
Wed Jan 23 13:30:25 2002
From: <steven.sporen@za.pwcglobal.com>
Date: Wed, 23 Jan 2002 09:23:49 +0200
To: Jeff.Mills@pocoldlogistics.com
Cc: bugtraq@securityfocus.com
Message-id: <OF6D977D2C.D79E40F5-ON42256B4A.0021E974@ema.pwcinternal.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Hi,
Citrix NFuse makes use of a session cookie to track if a user is logged in.
If you hit the applist.asp AFTER you have logged in at any point then the
applications associated to your session will be displayed.
The cookie is deleted if you close all your explorer browsers or changed if
you logout (updated to point to your logout.asp page). This could cause a
problem for users who don't close down explorer after they have used the
NFuse session but simply enter another URL in the address field. Since the
cookie is still there, a would be intruder could simply enter the URL of
the NFuse applist.asp or frameset.asp and receive the user's application
list.
I patched ours by putting the following at the top of the applist.asp and
frameset.asp:
<%
NFUSEbaseURL = "https://" & Request.ServerVariables("HTTP_HOST") &
"/citrix/nfuse161/"
If Left(Request.ServerVariables("HTTP_REFERER"), Len(NFUSEbaseURL)) <>
NFUSEbaseURL then
Response.Redirect(NFUSEbaseURL)
End If
%>
This confirms that the page as referenced from within the site which seems
to solve the problem.
Regards
Steven Sporen
Jeff Mills
<Jeff.Mills@pocoldlogi To: bugtraq@securityfocus.com
stics.com> cc:
2002/01/22 11:43 PM Subject: RE: Citrix NFuse 1.6
Size: 4 Kb
Tom and all,
I could not reproduce this problem.
My NFuse 1.6 server seems to redirect to the login page if I try to connect
directly to applist.asp.
Cheers,
Jeff Mills
-----Original Message-----
From: Tom.Lyne@kamino.com [mailto:Tom.Lyne@kamino.com]
Sent: Wednesday, 23 January 2002 2:58
To: bugtraq@securityfocus.com
Subject: Citrix NFuse 1.6
Dear Reader,
It seems if you go to an NFuse servers 'applist.asp' page without
first authenticating it reveals a list of all the applications that are
configured as published applications. Seems like an easily preventable
information leak from a default setup,
Rgds,
Tom Lyne
----------------------------------------------------------------
The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
