Citrix MetaFrame XP Error Page XSS

2003-11-03T10:38:47
ID OSVDB:2762
Type osvdb
Reporter OSVDB
Modified 2003-11-03T10:38:47

Description

Vulnerability Description

Citrix MetaFrame XP version 1.0 contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "NFuse_Message" variable parameters when generating error messages. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

Citrix MetaFrame is a remote desktop application that works with the Windows Terminal Services to provide application server capabilities

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Citrix Systems has released a patch to address this vulnerability.

Short Description

Citrix MetaFrame XP version 1.0 contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "NFuse_Message" variable parameters when generating error messages. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.mycitrix.com/ Secunia Advisory ID:10127 ISS X-Force ID: 13569 Generic Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2003-10/0341.html Bugtraq ID: 8939