TITLE: Citrix Metaframe Presentation Server Policy Filtering Bypass SECUNIA ADVISORY ID: SA17032 VERIFY ADVISORY: http://secunia.com/advisories/17032/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Citrix Presentation Server 4.x http://secunia.com/product/5270/ Citrix MetaFrame Presentation Server 3.x http://secunia.com/product/3805/ DESCRIPTION: Gustavo Gurmandi has reported a vulnerability in Citrix MetaFrame Presentation Server, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to a validation error when policy filtering decisions are made based on the user's client name. This can be exploited by malicious users to bypass certain policy restrictions by modifying the client name in the "launch.ica" file The vulnerability has been reported in the following versions: * Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000 * Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003 * Citrix Presentation Server 4.0 for Microsoft Windows 2000 * Citrix Presentation Server 4.0 for Microsoft Windows 2003 SOLUTION: Do not use client names for policy filtering decision. PROVIDED AND/OR DISCOVERED BY: Gustavo Gurmandi, GrupoITPro Security Research Community. ORIGINAL ADVISORY: Citrix: http://support.citrix.com/kb/entry!default.jspa?categoryID=275&externalID=CTX107705 GrupoITPro Security Research Community: http://www.grupoitpro.com.ar/ctxpoliciesbypass.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------