Full Disclosure mailing list archives
Citrix Web interface - Source code disclosure?
From: Phani <pklanka () gmail com>
Date: Thu, 18 Mar 2010 18:38:45 +0530
Hello all, This is with regard to the methodology that Citrix Web interface 4.5.1 employs to parse the JavaScript files. The JavaScript files in the ClientScripts folder of the web interface contain ASP.NET code. These files are referenced (using include functions) in the Citrix ASPX files for the parsing of ASP.NET content within the JS files. The resultant JavaScript content after parsing is represented inline within the ASPX page in the browser between script tags. (Process is more sort of like parsing of include files header.inc and footer.inc present in the include folder). The vulnerability lies wherein remote users can access the JavaScript files in the Clientscripts folder with ASP.NET source code, directly in the browser. Such files appear in the Content-Type: Text/HTML and disclose the ASP.NET code in the files. The examples of location of such files are below: 1. /AccessPlatform/auth/clientscripts/cookies.js 2. /AccessPlatform/auth/clientscripts/login.js My question here is if the ASP.NET source code (server side script) is presented to the web browser, are we looking at a source code disclosure vulnerability in the Web Interface 4.5.1? What would be the remediation steps in this case? Block the access to ClientScripts folder? And just wanted to ask if any one here knows any vendor patch to this issue? regards Phani
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Citrix Web interface - Source code disclosure? Phani (Mar 18)