On 1/10/25 6:50 AM, Bernhard Schroll wrote:
Hello,
In the scope of a security audit, a possibility was found to take over
the Guacamole session of a user by copying the Windows profile.
The cause is the GUAC_AUTH token, which is located in the local storage
of the browser, which is also obtained with a copy of the Windows
profile. The prerequisite for this behavior is that the user has a valid
GUAC_AUTH token at the time of the copy.
Is there a way to keep session handling away from the browser store?
No, this would be the case for all web application sessions, as well as
other user-specific settings/storage, and is not a security issue. If
you have full administrator access to a user's computer and can make a
copy of their home directory or profile, you inherently have a copy of
all of their locally stored data, including any web application sessions
that are still valid.
If you have any other questions on points that you believe may have
security implications, please be sure to instead use the private
security@ list going forward:
[email protected]
This case isn't an issue, but it would be problematic if it were and
things were raised here on the public user@ list before a release can go
out correcting things. See:
https://guacamole.apache.org/security/
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
