#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   Access Gateway Advanced a.k.a. CAG
# Vendor:    Citrix
# CVE ID:    CVE-2007-0011 (CTX113814)
# Subject:   Session Hijacking and Information Disclosure
# Severity:  Medium
# Effect:    Remotely exploitable
# Author:    Cyrill Brunschwiler <cyrill.brunschwiler@csnc.ch>
# Date:      April 15th 2008
#
#############################################################

Introduction:
-------------
When using Access Gateway Advanced Edition, residual information left in the
client web browser and on the client computer could allow an attacker to gain
unauthorized access to a user’s Citrix session.

Affected:
---------
This vulnerability is present in all versions of Access Gateway Advanced
Edition up to and including version 4.5.

- Access Gateway 4.5 Advanced Edition
- Access Gateway 4.5 Standard Edition
- Advanced Access Control 4.2
- Advanced Access Control Option 4.0


Description:
------------
The login form does not properly restrict the common web browser autocomplete
feature where the web browser stores input field information. Therefore, the
login credentials are stored in the browser cache for future use and might be
revealed to attackers which have access to the victim’s computer. This is
especially critical in Internet café environments.

<form name="vulnerable_example" method="post" action="/login">
  <input type="text" name="user" value="">
  <input type="password" name="pass" value="">
  ...
</form>


Remediation:
------------
Either add the autocomplete=off attribute to the form tag or add the
autocomplete=off attribute to every critical input tag to avoid the
vulnerability.


Patches:
--------
This vulnerability has been addressed in the Access Gateway firmware version
4.5.5.  Due to this, it is strongly recommends that customers upgrade their
Access Gateway appliance to firmware version 4.5.5 and upgrade to Access
Gateway Advanced Edition 4.5 HF1. These upgrades can be obtained from the
following locations:

- Access Gateway Appliance firmware 4.5.5:
  http://support.citrix.com/article/CTX114028

- Advanced Access Control HF1:
  http://support.citrix.com/article/CTX112803
  

Timeline:
---------
Vendor Status:		Patch released
Vendor Notified:	June, 14th 2007
Vendor Response:	June, 27th 2007
Patch Available:    July, 19th 2007
Issue Confirmed:    July, 18th 2008
Advisory Release:	April, 25th 2008


References:
-----------
CTX113816, Vulnerabilities in CAG Advanced Edition could allow redirection 
to arbitrary web sites, Link: http://support.citrix.com/article/CTX113816

OWASP Guide:
http://www.owasp.org/index.php/Authentication#Browser_remembers_passwords