Citrix NetScaler VPX Cross Site Scripting

2015.03.20

Credit: Han Sahin

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

------------------------------------------------------------------------
Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting
------------------------------------------------------------------------
Han Sahin, August 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the help pages of Citrix VPX are vulnerable to
Cross-Site Scripting. This issue allows attackers to perform a wide
variety of actions, such as stealing the victim's session token or login
credentials, performing arbitrary actions on the victim's behalf, and
logging their keystrokes.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10,
other versions may also be vulnerable.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Citrix reports that this vulnerability is fixed in NetScaler 10.5 build
52.8nc.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html

This issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example:

https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTV

Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

References:

https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Citrix NetScaler VPX Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.