Mailing List Archive

Sanity check please? False positive with Citrix XSS plugin (#12301)
I wanted to do a quick sanity check here before heading over to bugzilla.

I have a host that's being flagged by plugin 12301, which is looking for an
XSS vulnerability in old versions of Citrix Web Interface (specifically,
version 2.0). The plugin sends an XSS exploit attempt that uses the
following bit of script as its exploit payload:

<SCRIPT>alert('Ritchie')</SCRIPT>

and (if I'm reading the source code correctly) it then checks to see whether
the entirety of the above string is returned anywhere in the response from
the web server, which would - in some cases - confirm the presence of the
vulnerability.

Unfortunately, this logic triggers a false positive when the web server
returns something like this:

HTTP/1.1 200 OK
Content-Length: 507
Content-Type: text/html
Content-Location:
https://my.web.server/Citrix/default.htm?404;https://my.web.server:443/citrix/MetaframeXP/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=
<SCRIPT>alert('Ritchie')</SCRIPT>&ClientDetection=ON
Last-Modified: Thu, 21 Jul 2005 21:38:28 GMT
Accept-Ranges: bytes
ETag: "511039883c8ec51:282"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 30 Oct 2008 21:21:04 GMT

<!--
---- default.htm
---- Copyright (c) 2000 - 2005 Citrix Systems, Inc. All Rights Reserved.
---- Web Interface (Build 45083)
-->

<html>
<head>
<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=auth/login.aspx">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW, NOARCHIVE">
</head>
<body onLoad='location="auth/login.aspx";'>
Please click <a href='auth/login.aspx'>here</a> if you are not automatically
redirected.
</body>
</html>read:errno=104

We're running Citrix WI 4.0.4, which doesn't even use the same base login
page that this plugin is testing - it wants login.aspx, not the older
login.asp that WI 2.x uses. As you can see, the web server is politely
suggesting a redirect to the .aspx version of the main login page, but in
the process it returns the entire URL in the Content-Location header, and
the URL includes the offending string. I believe this is where the plugin is
catching a false positive.

Thoughts?

Thanks.

-Andy
Re: Sanity check please? False positive with Citrix XSS plugin (#12301) [ In reply to ]
On Thursday 30 October 2008 22:43:25 Andy Ellsworth wrote:
> Unfortunately, this logic triggers a false positive when the web server
> returns something like thi

I fixed that, thanks.
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers