HI Mike,
Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See: http://guacamole.apache.org/security/ My apologies. Wasn’t aware of this and will be more careful from next time. I would try out your suggestions and will post in the security mailing list for any follow-up questions I may have. Thanks again. -Tushar From: Mike Jumper [mailto:[email protected]] Sent: 04 June 2020 12:44 AM To: [email protected] Subject: Re: Security Vulnerability - Guacamole 1.0.0 On Wed, Jun 3, 2020 at 8:54 AM Tushar Jain <[email protected] <mailto:[email protected]> > wrote: Hi, My security vulnerability testing group has reported following issues: Tushar, if you believe you have found security issues, please DO NOT REPORT THEM IN A PUBLIC FORUM and instead follow responsible disclosure practices. The user@ mailing list is not the place to report such things. See: http://guacamole.apache.org/security/ Thankfully, the issues you have noted are not actually vulnerabilities (see details below). Going forward, please do not do this. 1. Reflected XSS – In the username field, while creating a new user 2. HTML Injection – In the group name field while creating a new group Both of the above are actually the same issue and have been fixed via: https://issues.apache.org/jira/browse/GUACAMOLE-955 >From GUACAMOLE-955: "... This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. ..." 3. Implementation of Captcha or a lockout in-case of consecutive incorrect logins. I am using both mysql and LDAP (AD) authentication This would be a useful feature, but its absence is not a vulnerability. If interested in this, I would recommend following the corresponding issue in JIRA, as a general configurable rate limit / lockout for authentication is on the radar. See: https://issues.apache.org/jira/browse/GUACAMOLE-990 Your best option for now is to use an existing lockout tool like fail2ban. - Mike -- **Disclaimer:* This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5, Safdarjung Development Area, New Delhi - 110016, India* * * *'Please consider the environment before printing this e-mail'.*
