mailing list archives
Re: Citrix NFuse 1.6 - additional network exposure
From: "Bob Fiero" <bfiero () mentalfloss net>
Date: Wed, 20 Feb 2002 15:01:32 -0500
On a Citrix server supporting applications running off of a Novell Directory Services network, I found that additional
information about the victim network can be discovered.
After opening the applist.asp page and seeing all configured applications, without authentication, I clicked on one of
the apps. Another browser window opened with the following error:
There was an error:
This operation requires user credentials to be specified. The following session field was not set: NFUSE_USER
while opening the URL of:
I appended &NFUSE_USER=ABM&NFUSE_PASSWORD=byte-me to the URL. Note that the two parameters NFUSE_USER and
NFUSE_PASSWORD were supplied with bogus parameters.
After a short period of time, Citrix presented me with a Novell client login screen. By clicking the Advanced button, I
was able to browse Novell Directory Services for all tree, organizational units, and server names contained on the
network. In the NT/2000 tab of the client, I was able to ascertain the name of the AD domain, and the server name
hosting the Citrix published application.
As was and is still the case, as far as I can tell this bug only the exposes network information. But, exposure of
information such as this is great for recognizance preceding further attacks.
I tested with a bogus application name after the NFuse_Application parameter, but only with a valid app name is this a
- Re: Citrix NFuse 1.6 - additional network exposure Bob Fiero (Feb 21)