jwetzell / docker-guacamole

A self-contained guacamole docker container for x64 and ARM. Remotely connect over SSH, RDP or VNC using HTML5.
https://hub.docker.com/r/oznu/guacamole/
GNU General Public License v3.0
108 stars 18 forks source link

Security issue - Email is the same as from the forked repo #37

Closed mamema closed 8 months ago

mamema commented 8 months ago

Describe Your Problem: i would like to repport a security issue. But i don't think the email linked in the "Security Reporting" afrea is still valid.

Please provide actual contact information

jwetzell commented 8 months ago

I'll have to try and find what section you are talking about with a bad email. But just report what you have here.

mamema commented 8 months ago

i mean your own security seciton here: https://github.com/jwetzell/docker-guacamole/security ...and no, vulnerability issues public reporting isn't a good thing. Talk public AFTER fixing it.

jwetzell commented 8 months ago

This is a forked repository. I didn't see that doc and have removed it as nothing in there is relevant to this fork. You can send information to me@jwetzell.com if you think the vulnerability lies in this bundling of Apache Guacamole.

jwetzell commented 8 months ago

Tomcat has been updated to 9.0.85 and default files cleaned out.

mamema commented 8 months ago

thanks


From: Joel Wetzell @.> Sent: Wednesday, February 7, 2024 1:59 PM To: jwetzell/docker-guacamole @.> Cc: mamema @.>; Author @.> Subject: Re: [jwetzell/docker-guacamole] Security issue - Email is the same as from the forked repo (Issue #37)

Closed #37https://github.com/jwetzell/docker-guacamole/issues/37 as completed.

— Reply to this email directly, view it on GitHubhttps://github.com/jwetzell/docker-guacamole/issues/37#event-11738347372, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEOWCGHVJRPMQ7VLIWUHV5DYSP2MPAVCNFSM6AAAAABC5SJTEWVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRG4ZTQMZUG4ZTOMQ. You are receiving this because you authored the thread.Message ID: @.***>

mamema commented 8 months ago

Hi Joel,

scan from today:


Description The default error page, default index page, example JSPs and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. Solution Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page. See Also http://www.nessus.org/u?4cb3b4dd https://www.owasp.org/index.php/Securing_tomcat Output

*

The server is not configured to return a custom page in the event of a client requesting a non-existent resource. This may result in a potential disclosure of sensitive information about the server to attackers.


so it seems the default files are somwehere still there... FYI

Best regards

Matt


From: Joel Wetzell @.> Sent: Wednesday, February 7, 2024 1:59 PM To: jwetzell/docker-guacamole @.> Cc: mamema @.>; Author @.> Subject: Re: [jwetzell/docker-guacamole] Security issue - Email is the same as from the forked repo (Issue #37)

Tomcat has been updated to 9.0.85 and default files cleaned out.

— Reply to this email directly, view it on GitHubhttps://github.com/jwetzell/docker-guacamole/issues/37#issuecomment-1933007661, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEOWCGDYEOHXUQ3MLXXZGZDYSP2MTAVCNFSM6AAAAABC5SJTEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZTGAYDONRWGE. You are receiving this because you authored the thread.

jwetzell commented 8 months ago

If you can point to the default files in the container that should be removed I will remove them.