You connect to an application that is load balanced and you are tired of seeing

RoyATokeshi
May 11, 2003 2:40 pm

When a user connects to a Citrix server through an ICA Web Client, the client allows the user to configure the amount of local access granted to the remote server. While there have been no recorded uses of ICA functionality to launch an attack on a client system, it is a possibility.
For example, an attacker could prompt a user to access a web page with an embedded published application with a resolution of say 1 by 1 pixels. This "invisible" (for all intents and purposes) anonymous published application could have a login script that then copies files, makes modifications to existing files etc. on the client's local machine.
The webica.ini file is a way to limit access to the client's local resources. \ Let's look at an example of the contents of a webica.ini file.
[Access]
CurrentConnection=Published Application10.5.100.161
oldPublishdAppNameValid.DNS.reference.bfq.com=-1
GlobalSecurityAccess=-1
Published Application10.5.100.161=-1
The webica.ini file has the following purposes \
1. The user can set the amount of access the ICA client is supposed to have on the client machine.
2. Assign an amount of access on a server-by-server or published application basis.
3. Assign global settings.
\
The first time a client access particular published application through the web client the user will see a pup up menu with the options to allow Full Access, Read Access, or No Access to the local drives. The user can also choose if the prompt will occur for the application again, this time only or "Don't notify me again". While the Citrix documentation refers to this as check box options it is actually a toggle button.
The pop up looks like this
///1y0-930_004.png///

When the user makes a selection the settings are stored in the webica.ini file and is kept in the %windir% folder (i.e. c:windowswebica.ini)
CurrentConnection= is one of the settings in the webica.ini file. It stores the published application name and the IP address of the participating server. Note that if a load balanced application is accessed; it is probable that the user will be prompted until that user has made a default selection or a selection for each of the participating servers.
The settings in the webica.ini file are
405 means give the server Full Access.
404 is Read Access.
403 is No Access.
-1 means no security setting is configured.

Reference
Advanced Citrix Server Implementation 1.0- Module 6Security and SecureICA
SecureICA 1.22 README - English
SecureICA 1.22 Administrator's Guide - English



Primary links

Custom Search

User login

Who's new

  • maczugaher
  • locksgydff
  • isotheces
  • ahundredyears7
  • Jacomijntjefu

Who's online

There are currently 0 users and 4 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.