Hi, Jody,
It turned out that we don't have time to fix this issue right now.
Our security manager flaged the application unsafe that used GeoServer to
access background spatial database and displayed maps to Web users.
Now, I have few questions for you/GeoServer development team as below:
1. Is there a core GeoServer development team that we can contact to
provide more details about this vulnerability for further
discussion/solutions? We don't want to send our vulnerability scan report
to the whole GeoServer community.
2. Did GeoServer development team verify and agree with this vulnerability?
If yes, do you have any solutions and/or any plans to fix it in the near
future? If you verified, but thought this vulnerability is not critical,
can you please provide some details to explain why this vulnerability is
not critical?
3. I read following comments from GeoServer Community, did you agree with
it? Does GeoServer team take it as an explaination to CQL vulnerability?
~~~~~~~~~~~~~~~~~~~
"In GeoServer's implementation, each filter expression is fully parsed into
an abstract syntax tree and then partially or fully converted to native
queries in a database-specific manner - PostGIS can take advantage of SQL
syntax and functions unique to that database, while Shapefiles use a
fallback that fully interprets filters in GeoServer/GeoTools code. As
such, it's not susceptible to traditional SQL injection attacks since the
user input is never directly sent to the underlying database.
I guess it might be possible in theory to perform an injection attack by
some clever escaping - using "' -- DELETE TABLE important_data;" as a
property name. But GeoServer validates that filters reference only
properties that are actually present, so this would not be feasible through
WFS. And CQL does not support comments, further complicating any potential
injection attacks.
Furthermore,Geoserver jdbc by default uses prepared statements
where possible for both performance and security. Prepared statements are
a strong protection against SQL injection because the injected value is not
evaluated as SQL code."
~~~~~~~~~~~~~~~~~~~~
Thanks a lot,
Aijun,
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
