URL query parameters are not adequately sanitised before they are placed into an HTTP <span class="code_single-line">Location</span> header. An attacker can exploit this to create a link which, when clicked, redirects the victim to an arbitrary location. Alternatively the attacker can inject newline characters into the <span class="code_single-line">Location</span> header, to prematurely end the HTTP headers and inject an XSS payload into the response body.
The following versions are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
- Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
- Citrix ADC 12.1-FIPS before 12.1-55.296
- Citrix ADC 12.1-NDcPP before 12.1-55.296
Citrix Gateway is a network appliance providing multiple functions including remote access VPN services.
Upgrade to the latest version of Citrix Gateway.
Citrix’s official advisory can be found here.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Dylan Pindur - Assetnote Security Research Team