[jira] [Resolved] (GUACAMOLE-20) Stored XSS vulnerability in file browser

[Michael Jumper (JIRA)]

     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Jumper resolved GUACAMOLE-20.
-------------------------------------
    Resolution: Fixed

Completed prior to full migration to Apache infrastructure. Full public 
announcement was made 2016-02-01. CVE ID: 
[CVE-2016-1566|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566]

> Stored XSS vulnerability in file browser
> ----------------------------------------
>
>                 Key: GUACAMOLE-20
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-20
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole
>    Affects Versions: 0.9.8, 0.9.9
>            Reporter: Michael Jumper
>            Priority: Blocker
>             Fix For: 0.9.10-incubating, 0.9.9, 0.9.8
>
>
> {panel:bgColor=#FFFFEE}
> *The description of this issue was copied from 
> [GUAC-1465|https://glyptodon.org/jira/browse/GUAC-1465], an issue in the JIRA 
> instance used by the Guacamole project prior to its acceptance into the 
> Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance 
> *have not been copied* and can be found instead at the original issue.
> {panel}
> {panel:title=(!) IMPORTANT|borderColor=#FF0000|bgColor=#FFEEEE}
> As this affects strictly 0.9.8 and 0.9.9, *we will need to produce patch 
> releases (and update Docker) for 0.9.8 and 0.9.9* as well as a public 
> announcement which includes a CVE-ID.
> For strictly-Glyptodon matters, we will also need to make all possible 
> responsible disclosures to clients.
> {panel}
> As reported by Niv Levy:
> {quote}
> Hello Guacamole Dev Team!
> My name is Niv Levy, I'm an information security consultant from Israel.
> During a recent penetration test I was found that Guacamole is vulnerable to 
> stored cross site scripting attack.
> Stored cross site scripting means that the injected script is permanently 
> stored on the target servers .The victim then retrieves the malicious script 
> from the server when it requests the stored information.
> The attacker supplied code can perform a wide variety of actions, such as 
> stealing the victim's session token or login credentials, performing 
> arbitrary actions on the victim's behalf, and logging their keystrokes.
> h4. Replication Steps:
> # Upload a file with malicious name. For Example: {{"><svg 
> onload=confirm('Stored_XSS')>.png}}
> # After Uploading the file, refresh the folder where we uploaded our 
> malicious file. The result on the client browser: (see attachment)
> Countermeasure: 
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)