You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Tushar Jain <tu...@hitachi.mgrmnet.com> on 2020/06/03 15:54:13 UTC

Security Vulnerability - Guacamole 1.0.0

Hi,

 

My security vulnerability testing group has reported following issues:

 

1.      Reflected XSS - In the username field, while creating a new user

2.      HTML Injection - In the group name field while creating a new group

3.      Implementation of Captcha or a lockout in-case of consecutive
incorrect logins. I am using both mysql and LDAP (AD) authentication

 

He further suggested to implement HTML encoding for special tags like <, >,
", ' for 1 and 2 above.

 

It would be really helpful if anyone can direct me the resolution I need to
take to fix the above. 

 

 

Thanks in advance

Tushar Jain


-- 
**Disclaimer:* This message and any attachment may contain confidential, 
proprietary information and is intended only for the individual named. If 
you are not the original intended recipient and have erroneously received 
this message, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net 
E-mail transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late 
or incomplete, or contain viruses. Hitachi MGRM Net therefore does not 
accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. If verification is 
required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 
6/5, Safdarjung Development Area, New Delhi - 110016, India*
*
*
*'Please 
consider the environment before printing this e-mail'.*

AW: Security Vulnerability - Guacamole 1.0.0

Posted by Joachim Lindenberg <jo...@lindenberg.one>.

Lockout in-case of consecutive incorrect logins opens the option for
denial-of-service attacks. Has to be optional at best.

Best Regards, Joachim

 

Von: Tushar Jain <tu...@hitachi.mgrmnet.com> 
Gesendet: Mittwoch, 3. Juni 2020 17:54
An: user@guacamole.apache.org
Betreff: Security Vulnerability - Guacamole 1.0.0

 

Hi,

 

My security vulnerability testing group has reported following issues:

 

1.	Reflected XSS - In the username field, while creating a new user
2.	HTML Injection - In the group name field while creating a new group
3.	Implementation of Captcha or a lockout in-case of consecutive
incorrect logins. I am using both mysql and LDAP (AD) authentication

 

He further suggested to implement HTML encoding for special tags like <, >,
", ' for 1 and 2 above.

 

It would be really helpful if anyone can direct me the resolution I need to
take to fix the above. 

 

 

Thanks in advance

Tushar Jain

 

Disclaimer: This message and any attachment may contain confidential,
proprietary information and is intended only for the individual named. If
you are not the original intended recipient and have erroneously received
this message, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net
E-mail transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept
liability for any errors or omissions in the contents of this message, which
arise as a result of e-mail transmission. If verification is required,
please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5,
Safdarjung Development Area, New Delhi - 110016, India

 

'Please consider the environment before printing this e-mail'.

RE: Security Vulnerability - Guacamole 1.0.0

Posted by Tushar Jain <tu...@hitachi.mgrmnet.com>.

HI Mike,

 

Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See:

 

http://guacamole.apache.org/security/

 

My apologies. Wasn’t aware of this and will be more careful from next time.

 

I would try out your suggestions and will post in the security mailing list for any follow-up questions I may have.

 

Thanks again.

 

-Tushar

 

From: Mike Jumper [mailto:mjumper@apache.org] 
Sent: 04 June 2020 12:44 AM
To: user@guacamole.apache.org
Subject: Re: Security Vulnerability - Guacamole 1.0.0

 

On Wed, Jun 3, 2020 at 8:54 AM Tushar Jain <tushar.jain@hitachi.mgrmnet.com <ma...@hitachi.mgrmnet.com> > wrote:

Hi,

 

My security vulnerability testing group has reported following issues:

 

Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See:

 

http://guacamole.apache.org/security/

 

Thankfully, the issues you have noted are not actually vulnerabilities (see details below). Going forward, please do not do this.

 

1.      Reflected XSS – In the username field, while creating a new user

2.      HTML Injection – In the group name field while creating a new group

 

Both of the above are actually the same issue and have been fixed via: https://issues.apache.org/jira/browse/GUACAMOLE-955

 

From GUACAMOLE-955:

 

"... This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. ..."

 

3.      Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication

This would be a useful feature, but its absence is not a vulnerability. If interested in this, I would recommend following the corresponding issue in JIRA, as a general configurable rate limit / lockout for authentication is on the radar. See:

 

https://issues.apache.org/jira/browse/GUACAMOLE-990

 

Your best option for now is to use an existing lockout tool like fail2ban.

 

- Mike

 


-- 
**Disclaimer:* This message and any attachment may contain confidential, 
proprietary information and is intended only for the individual named. If 
you are not the original intended recipient and have erroneously received 
this message, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net 
E-mail transmission cannot be guaranteed to be secure or error-free as 
information could be intercepted, corrupted, lost, destroyed, arrive late 
or incomplete, or contain viruses. Hitachi MGRM Net therefore does not 
accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. If verification is 
required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 
6/5, Safdarjung Development Area, New Delhi - 110016, India*
*
*
*'Please 
consider the environment before printing this e-mail'.*

Re: Security Vulnerability - Guacamole 1.0.0

Posted by Mike Jumper <mj...@apache.org>.

On Wed, Jun 3, 2020 at 8:54 AM Tushar Jain <tu...@hitachi.mgrmnet.com>
wrote:

> Hi,
>
>
>
> My security vulnerability testing group has reported following issues:
>

Tushar, if you believe you have found security issues, please *DO NOT
REPORT THEM IN A PUBLIC FORUM* and instead follow responsible disclosure
practices. The user@ mailing list is not the place to report such things.
See:

http://guacamole.apache.org/security/

Thankfully, the issues you have noted are not actually vulnerabilities (see
details below). Going forward, please do not do this.

1.      Reflected XSS – In the username field, while creating a new user
>
> 2.      HTML Injection – In the group name field while creating a new
> group
>

Both of the above are actually the same issue and have been fixed via:
https://issues.apache.org/jira/browse/GUACAMOLE-955

From GUACAMOLE-955:

"... This doesn't happen to have security implications in our case, as the
behavior is isolated to error message rendering (it cannot be stored, can
only be self-inflicted, and can only occur through manually interacting
with the UI), but it really should be addressed. ..."

3.      Implementation of Captcha or a lockout in-case of consecutive
> incorrect logins. I am using both mysql and LDAP (AD) authentication
>
This would be a useful feature, but its absence is not a vulnerability. If
interested in this, I would recommend following the corresponding issue in
JIRA, as a general configurable rate limit / lockout for authentication is
on the radar. See:

https://issues.apache.org/jira/browse/GUACAMOLE-990

Your best option for now is to use an existing lockout tool like fail2ban.

- Mike