[Geoserver-devel] [jira] (GEOS-5318) cross-site scripting vulnerability in layer preview pages

Thu, 20 Sep 2012 13:27:08 -0700

Issue Type: Bug Bug
Affects Versions: 2.2-RC3
Assignee: Andrea Aime
Components: WMS
Created: 20/Sep/12 3:26 PM
Description:

The application/openlayers WMS output format allows for script injection in the rendered page. It looks like the endpoint takes any user provided query string parameters and includes them as WMS layer parameters (all uppercased) and as GetFeatureInfo parameters (unaltered).

Here's an example:
http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-122.911,42.289,-122.777,42.398&width=512&height=416&srs=EPSG:4326&format=application/openlayers&%3C%2Fscript%3E%3Cscript%3Ealert%28%27x-scripted%27%29%3C%2Fscript%3E%3Cscript%3E=foo

Some browsers (recent WebKit) will not execute scripts found to have the same text as query string parameters/values, but other browsers will execute these scripts.

This would allow Evil Hacker to to pass a link to GeoServer User and have a script running on GeoServer User's page that could send information back to Evil Hacker without GeoServer's knowledge.

To avoid this vulnerability, all user provided query string parameters and values should be sanitized/html-escaped before including them in page content.

Project: GeoServer
Priority: Major Major
Reporter: Tim Schaub
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira 
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to