Menu

Security Advisory - Stored XSS (CVE-2016-1566 / GUAC-1465)

Security Advisory - Stored XSS (CVE-2016-1566 / GUAC-1465)

Since version 0.9.8, Guacamole has provided access to files via a file browser located in the Guacamole menu. If file transfer is enabled on a remote desktop connection, this file browser displays a navigable hierarchy of files to which the user has access.

A cross-site scripting (XSS) vulnerability was discovered and reported by Niv Levy through which files with specially-crafted names could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users.

Administrators providing access to Guacamole 0.9.8 or 0.9.9 are encouraged to update to the patched versions of Guacamole 0.9.8 and 0.9.9 provided below.

Vulnerability Description

The filenames within Guacamole's file browser are improperly filtered. HTML included in filenames will be interpreted by the browser, possibly leading to script execution.

A malicious script would have the same level of access as the compromised Guacamole user. Interpretation of HTML and execution of the script would occur upon the user browsing to the maliciously-named file within the menu.

Am I affected?

You are affected if you host Guacamole 0.9.8 or 0.9.9 and all of the following are true:

  1. One or more users may upload or create files in a shared location.
  2. Filenames containing angle brackets are allowed in that shared location.
  3. File transfer is enabled to that shared location for at least one Guacamole user.

What should I do?

Guacamole 0.9.8 and 0.9.9 have both been patched as of January 13th, 2016. Administrators that previously installed version 0.9.8 or 0.9.9 are encouraged to download the updated guacamole.war file when possible, even if you believe you are not affected. Only guacamole.war needs to be updated.

File MD5 SHA1
guacamole-0.9.8.war bd1f40b4431060573e78ea3e99eea246 c3f6c30c8f749ed690c7321013999e23425ecf68
guacamole-0.9.9.war 324c17aa305a077a2127378a2d0a7a51 0ba2ff114ac4221794b148ab0e83370dbc6259c5

The official Guacamole Docker images have been updated appropriately. If using Guacamole under Docker, pulling a fresh image of the desired version will resolve the vulnerability.

If you have made your own or vendor-specific modifications to the Guacamole web application, you should manually apply the changes made in commit 7da1312 if you used Guacamole 0.9.8 or 0.9.9 as the basis for your changes.

What if I cannot update Guacamole right now?

Both affected versions of Guacamole have been patched, so no upgrade is necessary - the guacamole.war file needs to be replaced with the patched copy of the same version.

Administrators that are unable or unwilling to replace their guacamole.war should ensure that users with file transfer access can only access their own files, and should disable file transfer for any VNC, RDP, or SSH connections where file access is not isolated on a per-user basis.

Posted by Michael Jumper 2016-02-01