You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2016/12/04 00:33:59 UTC

[jira] [Updated] (GUACAMOLE-20) Stored XSS vulnerability in file browser

     [ https://issues.apache.org/jira/browse/GUACAMOLE-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Jumper updated GUACAMOLE-20:
------------------------------------
    Fix Version/s:     (was: 0.9.10-incubating)

> Stored XSS vulnerability in file browser
> ----------------------------------------
>
>                 Key: GUACAMOLE-20
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-20
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole
>    Affects Versions: 0.9.8, 0.9.9
>            Reporter: Michael Jumper
>            Priority: Blocker
>             Fix For: 0.9.8, 0.9.9
>
>
> {panel:bgColor=#FFFFEE}
> *The description of this issue was copied from [GUAC-1465|https://glyptodon.org/jira/browse/GUAC-1465], an issue in the JIRA instance used by the Guacamole project prior to its acceptance into the Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance *have not been copied* and can be found instead at the original issue.
> {panel}
> {panel:title=(!) IMPORTANT|borderColor=#FF0000|bgColor=#FFEEEE}
> As this affects strictly 0.9.8 and 0.9.9, *we will need to produce patch releases (and update Docker) for 0.9.8 and 0.9.9* as well as a public announcement which includes a CVE-ID.
> For strictly-Glyptodon matters, we will also need to make all possible responsible disclosures to clients.
> {panel}
> As reported by Niv Levy:
> {quote}
> Hello Guacamole Dev Team!
> My name is Niv Levy, I'm an information security consultant from Israel.
> During a recent penetration test I was found that Guacamole is vulnerable to stored cross site scripting attack.
> Stored cross site scripting means that the injected script is permanently stored on the target servers .The victim then retrieves the malicious script from the server when it requests the stored information.
> The attacker supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
> h4. Replication Steps:
> # Upload a file with malicious name. For Example: {{"><svg onload=confirm('Stored_XSS')>.png}}
> # After Uploading the file, refresh the folder where we uploaded our malicious file. The result on the client browser: (see attachment)
> Countermeasure: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)