[THIN] Re: thin Digest V6 #289
- From: Tim Bishop <timothy.bishop@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Sun, 24 Jun 2007 22:02:01 +1000
Bernd,
I must say I haven't posted for a while either...
It would be a lot easier to answer you if we were able to have a
touch and feel session with your software, so we can get to
understand it ourselves. This will enable people to start finding
any possible holes or other application issues.
From the sounds of it, your software is quite powerful, but without
being able to see what it can do for myself I can't comment on your
questions below with any assurance.
BTW this is not an attempt to get myself a free copy of your
software. I'm more than happy to log onto any internet connected
server you provide to do my investigations. I would strongly suggest
this server is on an isolated internet connected network and is not
connected to your corporate network in any way. Or do you have a
trial copy or similar you could provide a link to?
Kind regards,
Tim
On 24/06/2007, at 9:33 PM, thin-digest@xxxxxxxxxxxxx wrote:
------------------------------------
thin Digest Sun, 24 Jun 2007 Volume: 06 Issue: 289
In This Issue:
#1: From: "Bernd Harzog" <berndh@xxxxxxxxxxxxxx>
Subject: [THIN] A Great Citrix Feature or a Massive Security
Hole?
----------------------------------------------------------------------
Msg: #1 in digest
From: "Bernd Harzog" <berndh@xxxxxxxxxxxxxx>
Subject: [THIN] A Great Citrix Feature or a Massive Security Hole?
Date: Sun, 24 Jun 2007 07:33:59 -0400
Folks,
I have not been posting much since I left RTO a couple of years
ago. I am
now with ProactiveWatch, a vendor that makes a Managed Services
platform
that allows VARs to monitor and manage applications, systems and
networks at
their customer sites.
We are working on putting remote control integration into a
forthcoming
version of the product, and the first thing we did was RDP. The
interesting
case is the case of our Console installed on a Citrix Server at the
customer
site. If the Admin is using the Console (published as a Citrix
app), let’s
say from home (just public Internet from home to the office), and
then he
right-clicks and invokes and RDP session (this assumes an RDP file
on the
Citrix Server with the correct parameters), the Citrix Presentation
Server
turns around and publishes that Admin an RDP session. In other
words, if you
have published application A, and you launch application B from
within A,
Citrix goes ahead and just publishes B to you in your existing
session. All
of this without any work on the back end to “enable” RDP as a Citrix
application.
Now this is tremendously convenient for an Admin because you can
basically
right-click and have a desktop to any server you want to see without
actually have to publish MSTSC as an application. But if (and I am
not sure
this is true), you are a user running published Word, and then go
run a
script to launch Notepad, then you can write things to the file
system that
will eventually turn the server over to you.
So, is this working the way it is supposed to, and if so, is this a
good
thing or a really big security hole.
I look forward to comments from all of my old friends (Rick, Jim,
are you
listening).
Cheers,
Bernd Harzog
Vice President and General Manager
ProactiveWatch
www.proactivewatch.com
bharzog@xxxxxxxxxxxxxxxxxx
770-475-4249
------------------------------
End of thin Digest V6 #289
**************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
Other related posts:
- » [THIN] Re: thin Digest V6 #289
------------------------------------
thin Digest Sun, 24 Jun 2007 Volume: 06 Issue: 289
In This Issue:
#1: From: "Bernd Harzog" <berndh@xxxxxxxxxxxxxx>
Subject: [THIN] A Great Citrix Feature or a Massive Security
Hole?
----------------------------------------------------------------------
Msg: #1 in digest
From: "Bernd Harzog" <berndh@xxxxxxxxxxxxxx>
Subject: [THIN] A Great Citrix Feature or a Massive Security Hole?
Date: Sun, 24 Jun 2007 07:33:59 -0400
Folks,
I have not been posting much since I left RTO a couple of years
ago. I am
now with ProactiveWatch, a vendor that makes a Managed Services
platform
that allows VARs to monitor and manage applications, systems and
networks at
their customer sites.We are working on putting remote control integration into a forthcoming version of the product, and the first thing we did was RDP. The interesting case is the case of our Console installed on a Citrix Server at the customer site. If the Admin is using the Console (published as a Citrix app), let’s say from home (just public Internet from home to the office), and then he right-clicks and invokes and RDP session (this assumes an RDP file on the Citrix Server with the correct parameters), the Citrix Presentation Server turns around and publishes that Admin an RDP session. In other words, if you have published application A, and you launch application B from within A, Citrix goes ahead and just publishes B to you in your existing session. All
of this without any work on the back end to “enable” RDP as a Citrix application.Now this is tremendously convenient for an Admin because you can basically
right-click and have a desktop to any server you want to see withoutactually have to publish MSTSC as an application. But if (and I am not sure this is true), you are a user running published Word, and then go run a script to launch Notepad, then you can write things to the file system that
will eventually turn the server over to you.So, is this working the way it is supposed to, and if so, is this a good
thing or a really big security hole.I look forward to comments from all of my old friends (Rick, Jim, are you
listening). Cheers, Bernd Harzog Vice President and General Manager ProactiveWatch www.proactivewatch.com bharzog@xxxxxxxxxxxxxxxxxx 770-475-4249 ------------------------------ End of thin Digest V6 #289 ************************** ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://www.freelists.org/list/thin ************************************************