Since version 0.9.8, Guacamole has provided access to files via a file browser located in the Guacamole menu. If file transfer is enabled on a remote desktop connection, this file browser displays a navigable hierarchy of files to which the user has access.
A cross-site scripting (XSS) vulnerability was discovered and reported by Niv Levy through which files with specially-crafted names could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users.
Administrators providing access to Guacamole 0.9.8 or 0.9.9 are encouraged to update to the patched versions of Guacamole 0.9.8 and 0.9.9 provided below.
The filenames within Guacamole's file browser are improperly filtered. HTML included in filenames will be interpreted by the browser, possibly leading to script execution.
A malicious script would have the same level of access as the compromised Guacamole user. Interpretation of HTML and execution of the script would occur upon the user browsing to the maliciously-named file within the menu.
You are affected if you host Guacamole 0.9.8 or 0.9.9 and all of the following are true:
Guacamole 0.9.8 and 0.9.9 have both been patched as of January 13th, 2016. Administrators that previously installed version 0.9.8 or 0.9.9 are encouraged to download the updated guacamole.war file when possible, even if you believe you are not affected. Only guacamole.war needs to be updated.
| File | MD5 | SHA1 |
|---|---|---|
| guacamole-0.9.8.war | bd1f40b4431060573e78ea3e99eea246 | c3f6c30c8f749ed690c7321013999e23425ecf68 |
| guacamole-0.9.9.war | 324c17aa305a077a2127378a2d0a7a51 | 0ba2ff114ac4221794b148ab0e83370dbc6259c5 |
The official Guacamole Docker images have been updated appropriately. If using Guacamole under Docker, pulling a fresh image of the desired version will resolve the vulnerability.
If you have made your own or vendor-specific modifications to the Guacamole web application, you should manually apply the changes made in commit 7da1312 if you used Guacamole 0.9.8 or 0.9.9 as the basis for your changes.
Both affected versions of Guacamole have been patched, so no upgrade is necessary - the guacamole.war file needs to be replaced with the patched copy of the same version.
Administrators that are unable or unwilling to replace their guacamole.war should ensure that users with file transfer access can only access their own files, and should disable file transfer for any VNC, RDP, or SSH connections where file access is not isolated on a per-user basis.