Re: just to report a possible problem: tunnel?write:null status code 500 (old version 1.3.0)
Hi, Some people are trying to connect to my guacamole instance using tunnel?write=null, I found this in several log reports with the status code 500 in the last week. I suppose these are scanning scripts, maybe looking for some vulnerabilities (?), it seemed strange to me. If it was a 4xx status code like a bad request I would have ignored it, a 500 seemed like a server problem so the report. Other than this my guacamole instance is working, and yes you right I know I have to upgrade it asap to the latest version. Regards -Fed On Wed, 27 Mar 2024 at 19:10, Nick Couchman wrote: > On Wed, Mar 27, 2024 at 2:01 PM fed wrote: > >> Hi, >> >> As I wrote in the object I am running an old version, 1.3.0, I just want >> to report this problem that I found from some requests in the logs, sorry I >> don’t know if it is a false problem or if it was resolved in a newer >> version. >> >> What I found is a request to guacamole_endpoing/tunnel?write:null, this >> will generate a: >> >> HTTP Status 500 – Internal Server Error >> Type Exception Report >> Message String index out of range: 42 >> Description The server encountered an unexpected condition that prevented it >> from fulfilling the request. >> Exception >> java.lang.StringIndexOutOfBoundsException: String index out of range: 42 >> java.lang.String.substring(String.java:1963) >> >> org.apache.guacamole.servlet.GuacamoleHTTPTunnelServlet.handleTunnelRequest(GuacamoleHTTPTunnelServlet.java:251) >> >> org.apache.guacamole.servlet.GuacamoleHTTPTunnelServlet.doGet(GuacamoleHTTPTunnelServlet.java:137) >> javax.servlet.http.HttpServlet.service(HttpServlet.java:626) >> javax.servlet.http.HttpServlet.service(HttpServlet.java:733) >> >> com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263) >> >> com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) >> >> com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) >> >> com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62) >> >> com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118) >> com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) >> Note The full stack trace of the root cause is available in the server logs. >> >> Thanks for the help. >> > Can you elaborate on what the problem is - how and when you encounter it - > and what you're expecting to get help with? It seems like writing "null" to > the tunnel endpoint is not something that one would normally do? Is there > some situation you're encountering where you expect this to happen, and > expect a different result? > > Regarding the older version, I'd certainly encourage you to try out one of > the newer versions and see if it still exists - if it does turn out to be a > bug, either in 1.3.0 or in all versions, it would be fixed in a newer > release - we will not go back and patch 1.3.0. > > -Nick > >>
Re: just to report a possible problem: tunnel?write:null status code 500 (old version 1.3.0)
On Wed, Mar 27, 2024 at 2:01 PM fed wrote: > Hi, > > As I wrote in the object I am running an old version, 1.3.0, I just want > to report this problem that I found from some requests in the logs, sorry I > don’t know if it is a false problem or if it was resolved in a newer > version. > > What I found is a request to guacamole_endpoing/tunnel?write:null, this > will generate a: > > HTTP Status 500 – Internal Server Error > Type Exception Report > Message String index out of range: 42 > Description The server encountered an unexpected condition that prevented it > from fulfilling the request. > Exception > java.lang.StringIndexOutOfBoundsException: String index out of range: 42 > java.lang.String.substring(String.java:1963) > > org.apache.guacamole.servlet.GuacamoleHTTPTunnelServlet.handleTunnelRequest(GuacamoleHTTPTunnelServlet.java:251) > > org.apache.guacamole.servlet.GuacamoleHTTPTunnelServlet.doGet(GuacamoleHTTPTunnelServlet.java:137) > javax.servlet.http.HttpServlet.service(HttpServlet.java:626) > javax.servlet.http.HttpServlet.service(HttpServlet.java:733) > > com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263) > > com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) > > com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) > > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62) > > com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118) > com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) > Note The full stack trace of the root cause is available in the server logs. > > Thanks for the help. > Can you elaborate on what the problem is - how and when you encounter it - and what you're expecting to get help with? It seems like writing "null" to the tunnel endpoint is not something that one would normally do? Is there some situation you're encountering where you expect this to happen, and expect a different result? Regarding the older version, I'd certainly encourage you to try out one of the newer versions and see if it still exists - if it does turn out to be a bug, either in 1.3.0 or in all versions, it would be fixed in a newer release - we will not go back and patch 1.3.0. -Nick >
just to report a possible problem: tunnel?write:null status code 500 (old version 1.3.0)
Hi, As I wrote in the object I am running an old version, 1.3.0, I just want to report this problem that I found from some requests in the logs, sorry I don’t know if it is a false problem or if it was resolved in a newer version. What I found is a request to guacamole_endpoing/tunnel?write:null, this will generate a: HTTP Status 500 – Internal Server Error Type Exception Report Message String index out of range: 42 Description The server encountered an unexpected condition that prevented it from fulfilling the request. Exception java.lang.StringIndexOutOfBoundsException: String index out of range: 42 java.lang.String.substring(String.java:1963) org.apache.guacamole.servlet.GuacamoleHTTPTunnelServlet.handleTunnelRequest(GuacamoleHTTPTunnelServlet.java:251) org.apache.guacamole.servlet.GuacamoleHTTPTunnelServlet.doGet(GuacamoleHTTPTunnelServlet.java:137) javax.servlet.http.HttpServlet.service(HttpServlet.java:626) javax.servlet.http.HttpServlet.service(HttpServlet.java:733) com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263) com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62) com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118) com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) Note The full stack trace of the root cause is available in the server logs. Thanks for the help. Regards -Fed
