- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Citrix Access Gateway Session ID Disclosure Issue
------------------------------------------------------------------------
SUMMARY
Citrix Access Gateways are described [1] as "universal SSL VPN appliances
providing a secure, always-on, single point-of-access to an organization's
applications and data". Amongst other features, the product provides a web
portal to corporate applications and resources.
The aim of this document is to clearly define an issue that exists with
the Citrix Access Gateway product [1] that will allow an attacker to gain
access to an authenticated users' session ID.
DETAILS
Vulnerable Systems:
* Citrix Advanced Access Control version 4.0
* Citrix Advanced Access Control version 4.2
* Citrix Access Gateway version 4.5 Advanced Edition
* Citrix Access Gateway version 4.5 Standard Edition
The web portal interface incorporates a collection of .NET scripts, which
utilize a session ID contained within cookies. During the authentication
sequence the user session is redirected via a HTTP meta refresh header in
an HTML response. The browser subsequently uses this within the next GET
request (and the referer header field of the next HTTP request), placing
the session ID in history files, and both client and server logs. The use
of the session ID within the HTML content is made worse by the application
not setting the HTTP cache control headers appropriately, which can lead
to the HTML content being stored within the local browser cache.
Where this is a particularly problem, is where the web portal is accessed
from a shared or public access terminal, such as an Internet Cafe; the
very environment that this type of solution is intended for.
If an attacker can gain access to the session ID by any mechanism (such as
by recovering it from the local cache or logs), then they will be able to
access all the resources that are available to the user.
Strong authentication technology, such as SecurID 2FA, does not protect
against this style of attack, as the session ID is generated after the
strong authentication process is completed.
Recommendations:
Review the recommendations in the Citrix alert [2]. If possible, upgrade
to a version of the Citrix Access Gateway product that does not exhibit
this issue.
Until the product is upgraded, consider reviewing you remote access policy
to restrict the use of the product in shared-access environments.
References:
[1]
<http://www.citrix.com/English/ps2/products/product.asp?contentID=15005>
http://www.citrix.com/English/ps2/products/product.asp?contentID=15005
[2] <http://support.citrix.com/article/CTX113814>
http://support.citrix.com/article/CTX113814
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0011>
CVE-2007-0011
ADDITIONAL INFORMATION
The information has been provided by <mailto:martin.oneal@corsaire.com>
Martin O'Neal.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
1 comment:
tramadol online buy tramadol online cheap no prescription - tramadol dosage uses
Post a Comment