Advisory

Han Sahin, August 2014

Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting

Abstract

It was discovered that the help pages of Citrix VPX are vulnerable to Cross-Site Scripting. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Tested version

This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10, other versions may also be vulnerable.

Fix

Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.8nc.

Introduction

NetScaler VPX is a virtual NetScaler appliance. NetScaler VPX includes all NetScaler load balancing/traffic management, application acceleration, application security, and offload functionality. It was discovered that the help pages of Citrix VPX are vulnerable to Cross-Site Scripting.

Details

This issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example:
https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTV

Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Work with us →