On Nov 20, 2017 20:07, "Thiago Araújo" <thiago.araujo-partn...@ventiv.com.br> wrote:
Hello everyone, I will be very brief in my story. We recently tried to implement guacamole for about 2500 users or more. However, guacamole did not respond well to pen testing. The pen testing team has found a way to hijack the authToken, and connect to the guacamole interface of any other computers on the network. Hi Thiago, Guacamole's auth token is no different than any other webapp session token, and needs to be transmitted over encrypted channels for things to be secure. What you describe (intercepting the session token) is not possible with proper transport encryption between users and the Guacamole server. If you genuinely believe you have found a flaw, please use the priv...@guacamole.apache.org list to discuss this further. A public forum like user@ is not the place to report such things. Otherwise, please ensure you have proper SSL/TLS in front of Guacamole, and that you do not allow unencrypted Guacamole traffic over an untrusted network. - Mike
