guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Jumper (JIRA)" <>
Subject [jira] [Created] (GUACAMOLE-20) Stored XSS vulnerability in file browser
Date Thu, 19 May 2016 05:54:12 GMT
Michael Jumper created GUACAMOLE-20:

             Summary: Stored XSS vulnerability in file browser
                 Key: GUACAMOLE-20
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole
    Affects Versions: 0.9.9, 0.9.8
            Reporter: Michael Jumper
            Priority: Blocker
             Fix For: 0.9.10-incubating, 0.9.9, 0.9.8

*The description of this issue was copied from [GUAC-1465|],
an issue in the JIRA instance used by the Guacamole project prior to its acceptance into the
Apache Incubator.*

Comments, attachments, related issues, and history from prior to acceptance *have not been
copied* and can be found instead at the original issue.

{panel:title=(!) IMPORTANT|borderColor=#FF0000|bgColor=#FFEEEE}
As this affects strictly 0.9.8 and 0.9.9, *we will need to produce patch releases (and update
Docker) for 0.9.8 and 0.9.9* as well as a public announcement which includes a CVE-ID.

For strictly-Glyptodon matters, we will also need to make all possible responsible disclosures
to clients.

As reported by Niv Levy:

Hello Guacamole Dev Team!

My name is Niv Levy, I'm an information security consultant from Israel.

During a recent penetration test I was found that Guacamole is vulnerable to stored cross
site scripting attack.

Stored cross site scripting means that the injected script is permanently stored on the target
servers .The victim then retrieves the malicious script from the server when it requests the
stored information.

The attacker supplied code can perform a wide variety of actions, such as stealing the victim's
session token or login credentials, performing arbitrary actions on the victim's behalf, and
logging their keystrokes.

h4. Replication Steps:

# Upload a file with malicious name. For Example: {{"><svg onload=confirm('Stored_XSS')>.png}}
# After Uploading the file, refresh the folder where we uploaded our malicious file. The result
on the client browser: (see attachment)


This message was sent by Atlassian JIRA

View raw message