On 11/14/2023 12:20 AM, Maciej Konigsman wrote:
Hi,
My organization pen-tested a Guacamole instance (version 1.5.3).
One of the findings is related to "OWASP – Broken Access Control"
http://www.owasp.org/index.php/Broken_Access_Control
<http://www.owasp.org/index.php/Broken_Access_Control>
When the user group is configured without any permissions the user
should be able to execute connections without rights to view connections
parameters.
When I open the following paths being just part of a group without
permissions I can view the connection details. I'm not able to modify
it. Is it a bug or feature?
/#/manage/mysql/connectionGroups/1
/#/manage/mysql/connections/
/#/manage/mysql/connectionGroups/
What you are seeing are UI components filled with whatever data you do
have permission to access. It is not possible to retrieve connection
parameters for a connection that you do not have permission to
administer/update, and this is enforced at the REST API level.
You can retrieve non-sensitive attributes, the protocol, the name, etc.
as long as you have access to read the connection, but you will not be
able to retrieve any connection parameters unless you have explicit
administer/update permission.
If your organization encounters anything else, or has questions about
the above, please DO NOT use the user@ list to ask questions about
issues that you believe may be security related. Instead, send an email to:
secur...@guacamole.apache.org
The above is a private list specifically intended for such
questions/reports. There is no need to subscribe to post to security@.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
