Advisory:

Xen Mobile contains open redirect vulnerabilities

Vulnerability

Last revised:

Xen Mobile contains open redirect vulnerabilities. This is a class of vulnerability where a service will redirect a user to a location controlled by an attacker.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Xen Mobile contains open redirect vulnerabilities. This is a class of vulnerability where a service will redirect a user to a location controlled by an attacker.

These vulnerabilities allow users to be tricked into thinking they are visiting the site when in fact they are visiting a location controlled by the attacker.

https://target/zdm/dynamictp/dynamicredirect.jsp?target=http://www.evilwebsite.com
https://target/aw/saml/signin/test?RelayState=http://www.evilwebsite.com

These vulnerabilities are used by attackers to steal credentials from users in phishing attacks, by sending them to a genuine URL that then forwards the user to an similar-looking untrustworthy location.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed

 

Mitigation/further actions

  1. Block these URLs or add filtering to limit the target and RelayState values to locations known to be safe
  2. Consider adding monitoring to detect if these URLs are called with unexpected values
  3. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  4. Install an update rectifying this issue as soon as one is available