Beste / devs, adding the development list in CC.
I can confirm the issue on latest mapcache master. The vulnerabililty is the injection of a parameter value between XML comment markers <-- --> used for the error message. When this parameter value starts with --> it ends up the comment part and the rest of the value is then parsed as non-comment XML. By skimming through the code it appears there are several similar instances in this protocol and others as well. I can see 2 options to fix this: - the safer one I think: do not return the invalid parameter value in the error message, but just the parameter name. So returning "Invalid layer name" instead of "Invalid layer {value_of_the_LAYER_parameter}". The important information is the name of the erroneous parameter, not its value (the user can figure it that himself) - a more risky one: sanitize the value that is going to be put inside XML comments <-- --> . So that means at least removing --> sequences, but perhaps other things too ? Even > Hello, > > I'm a student working on a school project that utilises mapserver 6.2 > installed from rpm on RedHat OS. My advisors are very concerned about the > security of the system. From the security reports, we obtained this XSS > vulnerability on the 'layer' parameter of WMTS service. > > http://example.com/mapcache/wmts/?SERVICE=WMTS&REQUEST= > GetTile&VERSION=1.0.0&LAYER=--%3E%3ca%20xml > > ns%3aa%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3e% > 3ca%3abody%20onload%3d%27alert(1111)%27%2f > %3e%3c%2fa%3e&STYLE=default&TILEMATRIXSET=epsg3857&TILEMATRIX=6&TILEROW=23& > TILECOL=38&FORMAT= > > I wonder if the newer versions of mapserver have this issue or is there any > way to solve it? > Any help would be appreciated. > > Beste -- Spatialys - Geospatial professional services http://www.spatialys.com _______________________________________________ mapserver-users mailing list mapserver-users@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/mapserver-users