On Thu, Sep 12, 2019 at 10:58 PM Der PCFreak <[email protected]> wrote:
> ... > > The latter made me thinking about sending an email to the list because why > would someone go exactly for a path containing `guacamole`. Well it just > might be that the attacker read [this document]( > https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf) > from Blackhat 2019 where it is listed as an example on page 80. (btw. very > interesting document...) > My guess would be that the vulnerable component of Pulse Secure happens to be used to serve the static files of Guacamole, thus the path needs to appear to point to Guacamole for the vulnerable part of Pulse Secure to be handed the request. The query string ending with ".../guacamole/" looks like an attempt to exploit naive request validation. As Nick noted, while this case happens to deal with a vulnerability specific to Pulse Secure and not Guacamole, please use the (private) [email protected] list going forward if you're seeing something that appears to have security implications. If this had turned out to be a problem with Guacamole, and that problem had been unknown until now, then you would have just publicly disclosed a security issue with no immediately-available fix, to the dismay of anyone hosting the software. - Mike
