On Tue, Feb 7, 2023 at 3:59 AM Vieri <[email protected]> wrote: > > OK, I just got bitten by my own system. > > Guacamole is behind a reverse-proxy with ModSecurity. > Sending variables as ${} is considered a potential attack, so I get this in > the WAF: > > [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] > [data "Matched Data: ${guac_username}_${guac_date}_${guac_time} found within > ARGS:parameters.recording-name: > test_rdp_${guac_username}_${guac_date}_${guac_time}"] > > Sorry for the misleading messages in this ML! > > I guess I can deactivate this Rule by ID for my Guacamole virtual domain. > However, would it be possible for the Guacamole Client to somehow encrypt or > base64-encode the HTTP requests so it doesn't trigger this ModSecurity rule? >
Yes, it would be possible to do such a thing, but it seems like a fairly extreme way to resolve the issue. I would imagine that the WAF has ways to create exceptions for the rules, rather than de-activating them entirely, and that seems a more reasonable approach than either de-activating the rule entirely or modifying the source code. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
