A Secret For Defeating Server-to-Client URL Content Redirection

I accidentally discovered a potential security issue with server-to-client URL redirection that affects Receiver 3.0 (ICA Client 13), ICA Client 12.1.44, and XenApp 6.

URL Redirection is often used to prevent end users from launching instances of Internet Explorer on a Citrix server and accessing the Internet. When URL redirection is enabled and a user clicks on a web hyperlink in a published application, the default web browser on the user’s client device is launched instead of spawning a web browser instance inside the user’s Citrix session. This feature helps to keep malware and other nasties from the Internet from dirtying up the Citrix servers, and it also reduces resource utilization as many web browsers can be very resource intensive.

But URL redirection can be easily defeated. All your user needs is Firefox set as the default browser and a quick finger. Here’s how it’s done:

  1. Launch a published application via Citrix and locate the hyperlink to open

  2. On the client device, open Firefox (I tested this with Firefox 8.0)

  3. Close Firefox

  4. Immediately and rapidly click the hyperlink in the published application several times

After a short delay, Internet Explorer will launch on the Citrix server. And unless there are tight security or network restrictions in place on the Citrix side, a user who discovers this trick is free to surf and put your server at risk.

If you have total control over your user’s client devices, this issue is probably not a big deal. But if you do not control the client devices, this flaw could potentially be disastrous if your Citrix servers are not properly secured. I’ll soon be covering step-by-step exactly how to lock down your Citrix servers so that unforeseen “gotchas” like this don’t ruin your day.