[ https://issues.apache.org/jira/browse/GUACAMOLE-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Jumper resolved GUACAMOLE-20. ------------------------------------- Resolution: Fixed Completed prior to full migration to Apache infrastructure. Full public announcement was made 2016-02-01. CVE ID: [CVE-2016-1566|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566] > Stored XSS vulnerability in file browser > ---------------------------------------- > > Key: GUACAMOLE-20 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-20 > Project: Guacamole > Issue Type: Bug > Components: guacamole > Affects Versions: 0.9.8, 0.9.9 > Reporter: Michael Jumper > Priority: Blocker > Fix For: 0.9.10-incubating, 0.9.9, 0.9.8 > > > {panel:bgColor=#FFFFEE} > *The description of this issue was copied from > [GUAC-1465|https://glyptodon.org/jira/browse/GUAC-1465], an issue in the JIRA > instance used by the Guacamole project prior to its acceptance into the > Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance > *have not been copied* and can be found instead at the original issue. > {panel} > {panel:title=(!) IMPORTANT|borderColor=#FF0000|bgColor=#FFEEEE} > As this affects strictly 0.9.8 and 0.9.9, *we will need to produce patch > releases (and update Docker) for 0.9.8 and 0.9.9* as well as a public > announcement which includes a CVE-ID. > For strictly-Glyptodon matters, we will also need to make all possible > responsible disclosures to clients. > {panel} > As reported by Niv Levy: > {quote} > Hello Guacamole Dev Team! > My name is Niv Levy, I'm an information security consultant from Israel. > During a recent penetration test I was found that Guacamole is vulnerable to > stored cross site scripting attack. > Stored cross site scripting means that the injected script is permanently > stored on the target servers .The victim then retrieves the malicious script > from the server when it requests the stored information. > The attacker supplied code can perform a wide variety of actions, such as > stealing the victim's session token or login credentials, performing > arbitrary actions on the victim's behalf, and logging their keystrokes. > h4. Replication Steps: > # Upload a file with malicious name. For Example: {{"><svg > onload=confirm('Stored_XSS')>.png}} > # After Uploading the file, refresh the folder where we uploaded our > malicious file. The result on the client browser: (see attachment) > Countermeasure: > https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)