In the true spirit of GNUCITIZEN half(partial)-disclosure movement, we announce that it is possible to gain user access level on CITRIX. The bug/feature does not rely on any client/server vulnerabilities nor client/server misconfiguration issues. All an attacker needs to do to exploit the weakness is to lure a victim to a malicious website or trick him/her into opening specially crafted ICA files. [...]
Yesterday I briefly covered how CITIRX hacking works by performing simple enumeration exercises. Today, I will show you how to drill.
As ways, I prepared a video that demonstrates the attack in more visual way. BTW, 90% of test I’ve done are subjected this type of attack. It is insane really.
In case the video does not work, you can download the high-quality version from over here.
I also did some coding as well. [...]