On Thu, Sep 12, 2019 at 11:40 AM Der PCFreak <[email protected]> wrote:
> Hi, > > by accident I found the following in my very reduced Apache SSL Error logs: > > ``` > [Thu Sep 05 02:35:53 2019] [error] [client xxx.xxx.xxx.xxx] Invalid URI > in request GET > /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/ > > HTTP/1.1 > ``` > > The thing is, I do not host Guacamole to the public internet, neither on > this machine. > > I just wanted to inform the list, that it might be the case that someone > found a vulnerability in Guacamole and tries to find public vulnerable > servers. > > First, if you think you've found a vulnerability in Guacamole, please make sure to report it responsibly: https://www.apache.org/security/ This involves reporting it *privately* to the project, not publicly on the lists. That said, in your case, if your Guacamole instance is not hosted publicly, then I would be concerned that whatever network it is hosted on has something bad on it - the kind of attack you're seeing there looks less like an attack specific to Guacamole and more like a generic case of someone finding a valid URL and then trying to exploit a poorly-configured system to get access to system-level files. The good news, for you, is that it appears that your Apache server is seeing it as an invalid request. The bad news is that something is trying to do it in the first place. Whatever client is represented by the redacted "[client xxx.xxx.xxx.xxx]" should probably be investigated for malware and/or threat actors present on the system. -Nick
