Citrx Command Center Advent JMX Servlet Accessible

2015-03-20T00:00:00
ID PACKETSTORM:130930
Type packetstorm
Reporter Han Sahin
Modified 2015-03-20T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------  
Advent JMX Servlet of Citrx Command Center is accessible to  
unauthenticated users  
------------------------------------------------------------------------  
Han Sahin, August 2014  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
It was discovered that the Advent JMX Servlet of Citrix Command Center  
is accessible to unauthenticated users. This issue can be abused by  
attackers to comprise the entire application.  
  
------------------------------------------------------------------------  
Tested version  
------------------------------------------------------------------------  
This issue was discovered in Citrix Command Center 5.1 build 33.3  
(including patch CC_SP_5.2_40_1.exe), other versions may also be  
vulnerable.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
Citrix reports that this vulnerability is fixed in Command Center 5.2  
build 42.7, which can be downloaded from the following location (login  
required).  
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html  
  
Citrix assigned BUG0494204 to this issue.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.html  
  
The Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example:  
  
https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script>  
`