Security issue - Email is the same as from the forked repo

Question

Security issue - Email is the same as from the forked repo

mamema opened this issue 9 months ago · 7 comments

Describe Your Problem:
i would like to repport a security issue. But i don't think the email linked in the "Security Reporting" afrea is still valid.

Please provide actual contact information

Answer 1 · 2024-02-07T13:07:13.000Z

I'll have to try and find what section you are talking about with a bad email. But just report what you have here.

Answer 2 · 2024-02-07T14:20:45.000Z

i mean your own security seciton here: https://github.com/jwetzell/docker-guacamole/security
...and no, vulnerability issues public reporting isn't a good thing. Talk public AFTER fixing it.

Answer 3 · 2024-02-07T17:49:43.000Z

This is a forked repository. I didn't see that doc and have removed it as nothing in there is relevant to this fork. You can send information to me@jwetzell.com if you think the vulnerability lies in this bundling of Apache Guacamole.

Answer 4 · 2024-02-07T21:59:25.000Z

Tomcat has been updated to 9.0.85 and default files cleaned out.

Answer 5 · 2024-02-08T10:35:38.000Z

thanks

…

________________________________ From: Joel Wetzell ***@***.***> Sent: Wednesday, February 7, 2024 1:59 PM To: jwetzell/docker-guacamole ***@***.***> Cc: mamema ***@***.***>; Author ***@***.***> Subject: Re: [jwetzell/docker-guacamole] Security issue - Email is the same as from the forked repo (Issue #37) Closed #37<#37> as completed. — Reply to this email directly, view it on GitHub<#37 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEOWCGHVJRPMQ7VLIWUHV5DYSP2MPAVCNFSM6AAAAABC5SJTEWVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRG4ZTQMZUG4ZTOMQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>

Answer 6 · 2024-02-12T16:35:02.000Z

Hi Joel, scan from today: ___ Description The default error page, default index page, example JSPs and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. Solution Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page. See Also http://www.nessus.org/u?4cb3b4dd https://www.owasp.org/index.php/Securing_tomcat Output * The server is not configured to return a custom page in the event of a client requesting a non-existent resource. This may result in a potential disclosure of sensitive information about the server to attackers.

…

___ so it seems the default files are somwehere still there... FYI Best regards Matt

________________________________ From: Joel Wetzell ***@***.***> Sent: Wednesday, February 7, 2024 1:59 PM To: jwetzell/docker-guacamole ***@***.***> Cc: mamema ***@***.***>; Author ***@***.***> Subject: Re: [jwetzell/docker-guacamole] Security issue - Email is the same as from the forked repo (Issue #37) Tomcat has been updated to 9.0.85 and default files cleaned out. — Reply to this email directly, view it on GitHub<#37 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEOWCGDYEOHXUQ3MLXXZGZDYSP2MTAVCNFSM6AAAAABC5SJTEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZTGAYDONRWGE>. You are receiving this because you authored the thread.

Answer 7 · 2024-02-12T20:03:33.000Z

If you can point to the default files in the container that should be removed I will remove them.