Summary
URL query parameters are not adequately sanitised before they are placed into an HTTP Location header. An attacker can exploit this to create a link which, when clicked, redirects the victim to an arbitrary location. Alternatively the attacker can inject newline characters into the Location header, to prematurely end the HTTP headers and inject an XSS payload into the response body.
Impact
An attacker can craft malicious links which, when clicked, either redirect the victim to an attacker controlled website or execute JavaScript in the victim’s browser.
Affected Software
The following versions are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
- Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
- Citrix ADC 12.1-FIPS before 12.1-55.296
- Citrix ADC 12.1-NDcPP before 12.1-55.296
Product Description
Citrix Gateway is a network appliance providing multiple functions including remote access VPN services.
Solution
Upgrade to the latest version of Citrix Gateway.
Citrix’s official advisory can be found here.
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Credits
Dylan Pindur – Assetnote Security Research Team
See Assetnote in action
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.