Security Vulnerability - Guacamole 1.0.0

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Vulnerability - Guacamole 1.0.0

Tushar Jain

Hi,

 

My security vulnerability testing group has reported following issues:

 

1.      Reflected XSS – In the username field, while creating a new user

2.      HTML Injection – In the group name field while creating a new group

3.      Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication

 

He further suggested to implement HTML encoding for special tags like <, >, “, ‘ for 1 and 2 above.

 

It would be really helpful if anyone can direct me the resolution I need to take to fix the above.

 

 

Thanks in advance

Tushar Jain


Disclaimer: This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5, Safdarjung Development Area, New Delhi - 110016, India

'Please consider the environment before printing this e-mail'.
Reply | Threaded
Open this post in threaded view
|

AW: Security Vulnerability - Guacamole 1.0.0

Joachim Lindenberg

Lockout in-case of consecutive incorrect logins opens the option for denial-of-service attacks. Has to be optional at best.

Best Regards, Joachim

 

Von: Tushar Jain <[hidden email]>
Gesendet: Mittwoch, 3. Juni 2020 17:54
An: [hidden email]
Betreff: Security Vulnerability - Guacamole 1.0.0

 

Hi,

 

My security vulnerability testing group has reported following issues:

 

  1. Reflected XSS – In the username field, while creating a new user
  2. HTML Injection – In the group name field while creating a new group
  3. Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication

 

He further suggested to implement HTML encoding for special tags like <, >, “, ‘ for 1 and 2 above.

 

It would be really helpful if anyone can direct me the resolution I need to take to fix the above.

 

 

Thanks in advance

Tushar Jain

 

Disclaimer: This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5, Safdarjung Development Area, New Delhi - 110016, India

 

'Please consider the environment before printing this e-mail'.

Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability - Guacamole 1.0.0

mjumper
Administrator
In reply to this post by Tushar Jain
On Wed, Jun 3, 2020 at 8:54 AM Tushar Jain <[hidden email]> wrote:

Hi,

 

My security vulnerability testing group has reported following issues:


Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See:


Thankfully, the issues you have noted are not actually vulnerabilities (see details below). Going forward, please do not do this.

1.      Reflected XSS – In the username field, while creating a new user

2.      HTML Injection – In the group name field while creating a new group


Both of the above are actually the same issue and have been fixed via: https://issues.apache.org/jira/browse/GUACAMOLE-955

From GUACAMOLE-955:

"... This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. ..."

3.      Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication

This would be a useful feature, but its absence is not a vulnerability. If interested in this, I would recommend following the corresponding issue in JIRA, as a general configurable rate limit / lockout for authentication is on the radar. See:


Your best option for now is to use an existing lockout tool like fail2ban.

- Mike

Reply | Threaded
Open this post in threaded view
|

RE: Security Vulnerability - Guacamole 1.0.0

Tushar Jain

HI Mike,

 

Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See:

 

http://guacamole.apache.org/security/

 

My apologies. Wasn’t aware of this and will be more careful from next time.

 

I would try out your suggestions and will post in the security mailing list for any follow-up questions I may have.

 

Thanks again.

 

-Tushar

 

From: Mike Jumper [mailto:[hidden email]]
Sent: 04 June 2020 12:44 AM
To: [hidden email]
Subject: Re: Security Vulnerability - Guacamole 1.0.0

 

On Wed, Jun 3, 2020 at 8:54 AM Tushar Jain <[hidden email]> wrote:

Hi,

 

My security vulnerability testing group has reported following issues:

 

Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See:

 

 

Thankfully, the issues you have noted are not actually vulnerabilities (see details below). Going forward, please do not do this.

 

1.      Reflected XSS – In the username field, while creating a new user

2.      HTML Injection – In the group name field while creating a new group

 

Both of the above are actually the same issue and have been fixed via: https://issues.apache.org/jira/browse/GUACAMOLE-955

 

From GUACAMOLE-955:

 

"... This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. ..."

 

3.      Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication

This would be a useful feature, but its absence is not a vulnerability. If interested in this, I would recommend following the corresponding issue in JIRA, as a general configurable rate limit / lockout for authentication is on the radar. See:

 

 

Your best option for now is to use an existing lockout tool like fail2ban.

 

- Mike

 


Disclaimer: This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5, Safdarjung Development Area, New Delhi - 110016, India

'Please consider the environment before printing this e-mail'.