Lockout in-case of consecutive incorrect logins opens the option for denial-of-service attacks. Has to be optional at best.
Best Regards, Joachim Von: Tushar Jain <[email protected]> Gesendet: Mittwoch, 3. Juni 2020 17:54 An: [email protected] Betreff: Security Vulnerability - Guacamole 1.0.0 Hi, My security vulnerability testing group has reported following issues: 1. Reflected XSS - In the username field, while creating a new user 2. HTML Injection - In the group name field while creating a new group 3. Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication He further suggested to implement HTML encoding for special tags like <, >, ", ' for 1 and 2 above. It would be really helpful if anyone can direct me the resolution I need to take to fix the above. Thanks in advance Tushar Jain Disclaimer: This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5, Safdarjung Development Area, New Delhi - 110016, India 'Please consider the environment before printing this e-mail'.
