Citrix Web interface - Source code disclosure?

[Phani <pklanka () gmail com>]

Hello all,

This is with regard to the methodology that Citrix Web interface 4.5.1
employs to parse the JavaScript files.

The JavaScript files in the ClientScripts folder of the web interface
contain ASP.NET code. These files are referenced (using include functions)
in the Citrix ASPX files for the parsing of ASP.NET content within the JS
files. The resultant JavaScript content after parsing is represented inline
within the ASPX page in the browser between script tags. (Process is more
sort of like parsing of include files header.inc and footer.inc present in
the include folder).

The vulnerability lies wherein remote users can access
the JavaScript files in the Clientscripts folder with ASP.NET source code,
directly in the browser. Such files appear in the Content-Type: Text/HTML
and disclose the ASP.NET code in the files. The examples of location of such
files are below:

1. /AccessPlatform/auth/clientscripts/cookies.js
2. /AccessPlatform/auth/clientscripts/login.js

My question here is if the ASP.NET source code (server side script) is
presented to the web browser, are we looking at a source code disclosure
vulnerability in the Web Interface 4.5.1?

What would be the remediation steps in this case? Block the access to
ClientScripts folder?

And just wanted to ask if any one here knows any vendor patch to this issue?

regards
Phani

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/