RE: Citrix NFuse 1.6

From: steven.sporenat_private
Date: Tue Jan 22 2002 - 23:23:49 PST

Next message: Mandrake Linux Security Team: "MDKSA-2002:008 - jmcce update"

Previous message: bugzillaat_private: "[RHSA-2002:015-13] Updated at package available"
Maybe in reply to: Tom.Lyneat_private: "Citrix NFuse 1.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Citrix NFuse makes use of a session cookie to track if a user is logged in.
If you hit the applist.asp AFTER you have logged in at any point then the
applications associated to your session will be displayed.

The cookie is deleted if you close all your explorer browsers or changed if
you logout (updated to point to your logout.asp page). This could cause a
problem for users who don't close down explorer after they have used the
NFuse session but simply enter another URL in the address field. Since the
cookie is still there, a would be intruder could simply enter the URL of
the NFuse applist.asp or frameset.asp and receive the user's application
list.

I patched ours by putting the following at the top of the applist.asp and
frameset.asp:

<%
  NFUSEbaseURL = "https://" & Request.ServerVariables("HTTP_HOST") &
"/citrix/nfuse161/"
  If Left(Request.ServerVariables("HTTP_REFERER"), Len(NFUSEbaseURL)) <>
NFUSEbaseURL then
    Response.Redirect(NFUSEbaseURL)
  End If
%>

This confirms that the page as referenced from within the site which seems
to solve the problem.

Regards
  Steven Sporen



                                                                                                   
                    Jeff Mills                                                                     
                    <Jeff.Mills@pocoldlogi      To:      bugtraqat_private                 
                    stics.com>                  cc:                                                
                    2002/01/22 11:43 PM         Subject:      RE: Citrix NFuse 1.6                 
                                                                                                   
                                                                                                   
                                                                                                   



 Size: 4 Kb


Tom and all,
I could not reproduce this problem.
My NFuse 1.6 server seems to redirect to the login page if I try to connect
directly to applist.asp.

Cheers,

Jeff Mills




-----Original Message-----
From: Tom.Lyneat_private [mailto:Tom.Lyneat_private]
Sent: Wednesday, 23 January 2002 2:58
To: bugtraqat_private
Subject: Citrix NFuse 1.6


Dear Reader,

      It seems if you go to an NFuse servers 'applist.asp' page without
first authenticating it reveals a list of all the applications that are
configured as published applications. Seems like an easily preventable
information leak from a default setup,

Rgds,
Tom Lyne



----------------------------------------------------------------
        The information transmitted is intended only for the person or
        entity to which it is addressed and may contain confidential and/or
        privileged material.  Any review, retransmission, dissemination or
        other use of, or taking of any action in reliance upon, this
        information by persons or entities other than the intended
        recipient is prohibited.   If you received this in error, please
        contact the sender and delete the material from any computer.

Next message: Mandrake Linux Security Team: "MDKSA-2002:008 - jmcce update"
Previous message: bugzillaat_private: "[RHSA-2002:015-13] Updated at package available"
Maybe in reply to: Tom.Lyneat_private: "Citrix NFuse 1.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 10:30:11 PST