------------------------------------------------------------------------
Advent JMX Servlet of Citrx Command Center is accessible to
unauthenticated users
------------------------------------------------------------------------
Han Sahin, August 2014
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Advent JMX Servlet of Citrix Command Center
is accessible to unauthenticated users. This issue can be abused by
attackers to comprise the entire application.
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was discovered in Citrix Command Center 5.1 build 33.3
(including patch CC_SP_5.2_40_1.exe), other versions may also be
vulnerable.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Citrix reports that this vulnerability is fixed in Command Center 5.2
build 42.7, which can be downloaded from the following location (login
required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html
Citrix assigned BUG0494204 to this issue.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.html
The Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example:
https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script>