Debugging Using XmlServiceExplorer - Part 3Published on 31 Jul 2008
Tags #Free Tool #HTTP #Presentation Server / XenApp #Web Interface #XML service #XmlServiceExplorer
Now, I’d like to demonstrate how chatty the XML service is when it comes to applications and their configuration. Some pieces of information are required for Web Interface to operate while others can be regarded as compromising.
For obvious reasons, the XML service is able to present a list of published applications for a specific user. By selecting the
AppData tab and providing valid credentials, the resulting response (see the following screen shot) contains an
AppDataSet tag enclosing a number of
AppData tags describing each published application.
In addition to this very valid reason for enumerating applications, the XML service readily provides a list of ALL published applications regardless of their permissions. Simply reuse the previous request and choose to send no credentials. The following screen shot shows the resulting list of applications including those not published for the user specified in the last request.
Exploring Application Settings
After a user has authenticated with Web Interface, a list of application configuration details is retrieved from the XML service to be cached and used for building web pages and launching applications. Using the
AppName field for the name of the application and the
DesiredDetails drop-down list for the level of details, the XML service discloses a large amount of configuration details. The following screen shot lists all details for the published application
While exploring the
DesiredDetails drop-down list you will sooner or later try out the
access-list value. To my distress, the XML service does not require any authentication before returning this information. The last screen shot shows such a case: anyone with network access to my XML service is able to retrieve the full list of permissions for any application.
All articles about the XmlServiceExplorer