Beste / devs,

adding the development list in CC.

I can confirm the issue on latest mapcache master. The vulnerabililty is the 
injection of a parameter value between XML comment markers <-- --> used for 
the error message. When this parameter value starts with --> it ends up the 
comment part and the rest of the value is then parsed as non-comment XML.
By skimming through the code it appears there are several similar instances in 
this protocol and others as well.

I can see 2 options to fix this:
- the safer one I think: do not return the invalid parameter value in the 
error message, but just the parameter name. So returning "Invalid layer name" 
instead of "Invalid layer {value_of_the_LAYER_parameter}". The important 
information is the name of the erroneous parameter, not its value (the user 
can figure it that himself)
- a more risky one: sanitize the value that is going to be put inside XML 
comments <--  --> . So that means at least removing --> sequences, but perhaps 
other things too ?


> Hello,
> I'm a student working on a school project that utilises mapserver 6.2
> installed from rpm on RedHat OS. My advisors are very concerned about the
> security of the system. From the security reports, we obtained this XSS
> vulnerability on the 'layer' parameter of WMTS service.
> GetTile&VERSION=1.0.0&LAYER=--%3E%3ca%20xml
> 3ca%3abody%20onload%3d%27alert(1111)%27%2f
> %3e%3c%2fa%3e&STYLE=default&TILEMATRIXSET=epsg3857&TILEMATRIX=6&TILEROW=23&
> I wonder if the newer versions of mapserver have this issue or is there any
> way to solve it?
> Any help would be appreciated.
> Beste

Spatialys - Geospatial professional services
mapserver-users mailing list

Reply via email to