Xen Mobile contains numerous unauthenticated file upload vulnerabilities


Last revised:

It was possible to upload a file to to the Xen Mobile server without authentication.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

It is possible to upload a file to to the Xen Mobile server¬†without authentication by making a request to /ControlPoint/upload that includes a Referer header claiming that the request was referred from the application’s domain.

POST /ControlPoint/upload HTTP/1.1
Content-Type: multipart/form-data; boundary=MultipartBoundry
Connection: close
Content-Length: 239

Content-Disposition: form-data; name="image"; filename="FILENAME_HERE"

[content of file]

There are several other API endpoints that also provide this file upload functionality without authentication. For example, the /zdm/rs/xdmServices/devicepolicy/fileUpload accepts JSON data and writes it to files under /opt/sas/temp/. This functionality chooses a random filename, but then discloses that filename to the caller.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed


Mitigation/further actions

  1. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  2. Install an update rectifying this issue as soon as one is available