On a Citrix server supporting applications running off of a Novell Directory Services network, I found that additional information about the victim network can be discovered. After opening the applist.asp page and seeing all configured applications, without authentication, I clicked on one of the apps. Another browser window opened with the following error: There was an error: This operation requires user credentials to be specified. The following session field was not set: NFUSE_USER while opening the URL of: http://nfuse.insecureMSserver.com/launch.asp?NFuse_Application=LookOut&NFuse_MIMEExtension=.ica I appended &NFUSE_USER=ABM&NFUSE_PASSWORD=byte-me to the URL. Note that the two parameters NFUSE_USER and NFUSE_PASSWORD were supplied with bogus parameters. After a short period of time, Citrix presented me with a Novell client login screen. By clicking the Advanced button, I was able to browse Novell Directory Services for all tree, organizational units, and server names contained on the network. In the NT/2000 tab of the client, I was able to ascertain the name of the AD domain, and the server name hosting the Citrix published application. As was and is still the case, as far as I can tell this bug only the exposes network information. But, exposure of information such as this is great for recognizance preceding further attacks. I tested with a bogus application name after the NFuse_Application parameter, but only with a valid app name is this a problem.
