Hi, Citrix NFuse makes use of a session cookie to track if a user is logged in. If you hit the applist.asp AFTER you have logged in at any point then the applications associated to your session will be displayed. The cookie is deleted if you close all your explorer browsers or changed if you logout (updated to point to your logout.asp page). This could cause a problem for users who don't close down explorer after they have used the NFuse session but simply enter another URL in the address field. Since the cookie is still there, a would be intruder could simply enter the URL of the NFuse applist.asp or frameset.asp and receive the user's application list. I patched ours by putting the following at the top of the applist.asp and frameset.asp: <% NFUSEbaseURL = "https://"; & Request.ServerVariables("HTTP_HOST") & "/citrix/nfuse161/" If Left(Request.ServerVariables("HTTP_REFERER"), Len(NFUSEbaseURL)) <> NFUSEbaseURL then Response.Redirect(NFUSEbaseURL) End If %> This confirms that the page as referenced from within the site which seems to solve the problem. Regards Steven Sporen Jeff Mills <Jeff.Mills@pocoldlogi To: bugtraq@securityfocus.com stics.com> cc: 2002/01/22 11:43 PM Subject: RE: Citrix NFuse 1.6 Size: 4 Kb Tom and all, I could not reproduce this problem. My NFuse 1.6 server seems to redirect to the login page if I try to connect directly to applist.asp. Cheers, Jeff Mills -----Original Message----- From: Tom.Lyne@kamino.com [mailto:Tom.Lyne@kamino.com] Sent: Wednesday, 23 January 2002 2:58 To: bugtraq@securityfocus.com Subject: Citrix NFuse 1.6 Dear Reader, It seems if you go to an NFuse servers 'applist.asp' page without first authenticating it reveals a list of all the applications that are configured as published applications. Seems like an easily preventable information leak from a default setup, Rgds, Tom Lyne ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
