On Wed, Jun 3, 2020 at 8:54 AM Tushar Jain <[email protected]> wrote:
> Hi, > > > > My security vulnerability testing group has reported following issues: > Tushar, if you believe you have found security issues, please *DO NOT REPORT THEM IN A PUBLIC FORUM* and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See: http://guacamole.apache.org/security/ Thankfully, the issues you have noted are not actually vulnerabilities (see details below). Going forward, please do not do this. 1. Reflected XSS – In the username field, while creating a new user > > 2. HTML Injection – In the group name field while creating a new > group > Both of the above are actually the same issue and have been fixed via: https://issues.apache.org/jira/browse/GUACAMOLE-955 >From GUACAMOLE-955: "... This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. ..." 3. Implementation of Captcha or a lockout in-case of consecutive > incorrect logins. I am using both mysql and LDAP (AD) authentication > This would be a useful feature, but its absence is not a vulnerability. If interested in this, I would recommend following the corresponding issue in JIRA, as a general configurable rate limit / lockout for authentication is on the radar. See: https://issues.apache.org/jira/browse/GUACAMOLE-990 Your best option for now is to use an existing lockout tool like fail2ban. - Mike
