There appears to be a major security hole in the Citrix Access Gateway 4.2 Pre-Authentication Policy "pre-scan" capability, and I'm hoping someone knows how to close that gaping hole. If the policy is turned on (e.g. to detect viruses, keyloggers, etc. or to block certain types of workstations) and the scan fails, the user is appropriately redirected to a failure page (https://fqdn/__prescan_failed.html
. However, if they modify that URL, replacing "failed" with anything else, then they are allowed past the scan and can then login.
This is a big concern on two levels:
(1) if a legitimate user with a keylogger unwittingly install bypasses the scan, someone now has their login credentials
(2) if an unwanted user who should have been blocked bypasses the scan, they can now hack away at the Citrix server login
Citrix has known about this since at least February and hasn't fixed it yet and won't commit to a fix date. (If a vendor like Microsoft had the same lack of response to a far lesser security hole, they would be raked across the coals in the mainstream media and blogs around the world.)
Does anyone have a workaround to prevent someone from continuing past the Citrix scan failure page?