Advisory

Overview

XenMobile contains open redirect vulnerabilities. This is a class of vulnerability where a service will redirect a user to a location controlled by an attacker.

These vulnerabilities allow users to be tricked into thinking they are visiting the site when in fact they are visiting a location controlled by the attacker.

Proof of concept

    https://target/zdm/dynamictp/dynamicredirect.jsp?target=http://www.evilwebsite.com
    https://target/aw/saml/signin/test?RelayState=http://www.evilwebsite.com

These vulnerabilities are used by attackers to steal credentials from users in phishing attacks, by sending them to a genuine URL that then forwards the user to an similar-looking untrustworthy location.

Mitigation/further actions

1. Block these URLs or add filtering to limit the target and RelayState values to locations known to be safe
2. Consider adding monitoring to detect if these URLs are called with unexpected values
3. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
4. Install an update rectifying this issue as soon as one is available

Advisory timeline

1. 2018-03-28 – Reported to Citrix and acknowledged immediately
2. 2018-05-21 – Issue reported fixed