Penetration Testing mailing list archives

Re: [PEN-TEST] Citrix

From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 9 Oct 2000 13:48:34 -0700

The most I've done with it is play with the "remember password" feaure on
the client.  For old Citrix clients and MSTerminal clients, it was
"encrypted" by XORing it with a fixed string.  The feature shouldn't be
there, it can't be done securely.  If you can get control of a client with
a stored password, there ya go.

                                        Ryan

On Mon, 9 Oct 2000, Beauregard, Claude Q wrote:

Has anyone done any penetration regarding Citrix and Internet access as
provided by the Citrix servers to internal network resources. Even though
they are now using 128bit encryption for the client the hole in the firewall
is there waiting to be exploited.

Current thread:

[PEN-TEST] Citrix Beauregard, Claude Q (Oct 09)
- Re: [PEN-TEST] Citrix van der Kooij, Hugo (Oct 10)
  - Re: [PEN-TEST] Citrix Peter Van Epp (Oct 10)
- Re: [PEN-TEST] Citrix Ryan Russell (Oct 10)
- Re: [PEN-TEST] Citrix Christopher Winter (Oct 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Citrix Beauregard, Claude Q (Oct 10)
  - Re: [PEN-TEST] Citrix van der Kooij, Hugo (Oct 10)