Security bug: Users can change Citrix WI Site by changing path in URL
April 6, 2012
At first I thought I was going out of my mind, fortunately Citrix Tech Support has confirmed this bug and are working on a solution.
Installing a brand new pair of Citrix NetScaler MPX 5500 with the latest Citrix NetScaler build (9.3-55.6).
The Citrix NetScaler security design was made so to create 9 Access Gateway Virtual Servers all with their own Citrix Web Interface site so that all the traffic could be isolated and different kinds of security measures could be applied to the different Access Gateway Virtual Servers. There are multiple Citrix XenApp Farms in de backend where the different users would land depending of the target audience.
So, done installing 9 Citrix Access Gateway virtual servers and 9 Citrix Web Interface sites (Web Interface for Citrix NetScaler). So the setup is like this:
portal1.domain.com (Access Gateway) => /Citrix/XenApp1 (Web Interface) => XenApp Farm 1
portal2.domain.com (Access Gateway) => /Citrix/XenApp2 (Web Interface) => XenApp Farm 2
When users successfully logon portal1.domain.com and see the Published Applications of XenApp Farm 1, you can see the URL in the address bar pointing to Citrix Web Interface 1 /Citrix/XenApp1. If the user simply replaces the 1 with a 2 it can see and start the Published Applications of XenApp Farm 2 without re-authenticating or any other effort . Granted, a user must have permissions on the published applications to access them.
At first I thought this was a problem of Web Interface for Citrix NetScaler because it basically uses 127.0.0.1:8080 for all Web Interface publications so I tried the same on Web Interface for Windows thinking to bypass the problem using Web Interface for Windows for the time being, unfortunately, same issue.
What products does this affect?
Well, not sure. At least a combination of the the following:
– Citrix NetScaler 9.3-55.6
– Citrix Web Interface for NetScaler 1.3
– Citrix web Interface for Windows 5.4.
What you could for a workaround is don’t create obvious following up numbers within Citrix Web Interface. So for portal1, do no create /Citrix/XenApp1 but create something like /Citrix/wohrtg079e4jd8jkw02 instead. The longer the better.
Another workaround or add-on workaround would be to carefully set permissions on published applications in the different environments, not use just Domain Users.
I do not think a lot of customers will run into trouble with this since you need to be authenticated anyway, so the only thread that you could have are from your trusted users. And we all trust our users right?