Well, besides being blatantly irresponsibly posted, it is indeed wrong (or at least very mistaken):
* The described issue relies on full admin access. The ability to create connections is considered an extremely high privilege for exactly the point noted: a connection can write files (see below). * It relies on an unofficial image that (1) runs both guacd and guacamole on the same image and (2) does not limit the privileges of either. The official images do neither of these things. For example, from the documentation for an official extension that specifically allows users to create connections: http://guacamole.apache.org/doc/gug/adhoc-connections.html "IMPORTANT: There are several implications of using this extension that should be well-understood by administrators prior to implementing it: ... The extension provides users the ability not only to establish connections, but also to set any of the parameters for a connection. There are security implications for this - for example, RDP file sharing can be used to pass through any directory available on the server running guacd to the remote desktop. ..." - Mike On Tue, Nov 23, 2021, 06:09 Joao Alexandre <[email protected]> wrote: > Hi All, > > Is this new, old, fake, already patched, something to worry about, > anything? > > https://thinkloveshare.com/hacking/hacking_guacamole_to_trigger_avocado/ > > Best regards, > > João >
