Hi Jorge,
I don't run QGIS server, I was basing that on the original report by
Nadia to the list which shows a 500 response for that request to their box.
But yes, testing that URL against some (ostensibly) QGIS servers I can
find online, it does seem to work as expected. Not sure why Nadia got a
500 back...
Cheers,
Jonathan
On 2020-02-01 21:58, Jorge Gustavo Rocha wrote:
Hi Jonathan,
If the service is unknown, my QGIS Server reports:
<ServiceExceptionReport version="1.3.0" xmlns="http://www.opengis.net/ogc";>
<ServiceException code="Service configuration error">Service unknown or
unsupported</ServiceException>
</ServiceExceptionReport>
Which QGIS Server are you using? Have you filled a bug?
Your help is appreciated :-)
Regards,
Jorge Gustavo
On 01/02/20 21:25, Jonathan Moules wrote:
I can't comment on the security aspect, but at the very least there's a
bug in the WMS compliance. For the GetCapabilities URL it should be
returning an XML Service Exception (because it has an invalid SERVICE
value), not a HTTP 500.
I.e., the same request to a (random) GeoServer box shows the sort of
thing that should be coming back:
http://si.icnf.pt/geoserver/POEM/ows?REQUEST=GetCapabilities&SERVICE=oGMQJLiHSupcMsIjmfMWZQISJOeWgvtonUKYRXwmroNKJMFRYPEnEZPkowATaGjkELTRHGnDntktuVJGaLGTcBeUUJdggwCZNQVmwtAGVOJnxxYRNoCsJqtRfbPjwKjegCwdCLmaYrUVJabXtdkmZeHXsNLjhpdJhbQOYeXwwOIZwVROYYKwXRZxkjXoeGJvmswRUKPNRMhLLkMQtoLmSfPNrQXYHtuPEuKpFIpFccNsEgRbYndKFXiFpnZqJERjSJreOgtxNGcisVVbPVvfplvDRyRbsKbFnPcmlliuCAyoDmYOffSDlAWUApgewpAiJXXdwLDDYbkPaAiqMNkqPfqkIBxhirwdeQEQmTtBeDYIbGYNbGKPxSOYDRhgiGrGPElskHmqCCUaETOPHTPEXMArEpPNYZyJoChNatgYaPfcqIRjwCwDkmMVgUdlxGWgqXxGZwrgeantfXPvxkacZQLKPwlemJfeOuvIVfZrBiwWtIoybuuQAqapuFJBDuZHtMlaIJemxOjPiefmgMSXOpoSwFAipLYwqVApjJtmbOqUBORkfqesknejRvSFQwmCYlHigIZNpBIAINfVVUxtjHekDrJMdYVNgAiZUNUYSnbSyPrFTWiYmrnFUcqnteOMEogsxDXMlbNLBcMCLwDZJCQLblDTElqcWxmcoKiZGBPqTJuSjIPimsfYklNdmIcnwsGdESbaOhtvVwRcoFIKAAninLCqKfsKFXqDfEwNCkXXRFvbcjnXggYywEynhweSdrvbCngwJtceGDAOlQQqCBhgjHmcuSrCUKwBJOeEToYIhTQCgEdBVpIlCYmIBPsNPLIedfITOfincEBqLscQJNktKIvpfgkQFhLOtiyslSKdGkjCCnYYDNVBrTDJsYxELKJcXlJLUMTBOChSpTsfgZMqKtXLkbMOnulrWQLJhwIElLJZhnQDjfmUvsDiVDAEavsGhUXSYlxbPROgZQElKUIXNBGEmducbcREVLjNoZvlNpxcWnVwhNlKOfSZBREGUZXLRfhEloTuZLPphUaEPpydHoHpcNKhVjqsKfQofaaVTAfDwXoUWQtmQaRSAEdwxCdIqllTvObUFcsdyfGqHRQFDGFvHUdeNuTWhIbgDhcTGnJBTxytfHWvQNjSqSGCBDGNPQJaclWFUHPIjAkbvDxRtqFjwtoVOtfYkbiKVbqcphyngrfcxLkGQpHjSldaqekhLoAYGbkXHdnyeKIraNcalFLUvrEKSVYoNpGoZHrKpDckZJSnPHiMIeaOrTCKRWbNcrSDrddeVIqSfSRIILuZpYnpFLJCyYxVGnRonXgCSEqQXcZreffnyaFvkaFcJyyuCivsGMHGhVViEetLWxPEnFsFGuuHFmlIJCtoyyikChSxeMrKxhZoQanBBfexwUjsjAiLUOLnhYmlyuJlsENAoMDiFbbrcfpXeyqnkJOgmCwYakTGegcbpywwAVYJSQtblnWZhfccMksXoHhkXqqbZxYgAsNwPGbJukfaGZakiImInKPoSwvCXXvpqawURRpUmaebduvgDnAYGUmhCcQGkTKqlKVoGumDuDFgpbhcyRgpnVkuymNFsMRChKBFFyBKJNkcNqTEHKHrJdECHYMnWBjJiVqaXBEJQDjoZyjNFwumfShWeeRoqwIDfYSckglinPSgDvJlFxfLtWmiYTrhVSFRQOjdZKdQRhnmpSXVvQLadJpviByssOKIrjpysnXvXHAvRKrIcGEvsvhWEmZkGKPBcFFmmjtQJQZxZIcTVmFWHEUOEejYvOjNrbqYvPaJxbTyucvdMDohGynKrodTGyRJcuMBdFPNFsPbmEQDiXeCBwPHAGvawOvBTlXoMijuSUalSrftFWCHatRoivbehiDtLbRJUItnteqdEMNdrHsqAwgiCMOPDIVCmovSVTLxkclkmBCuVpIAMJtmkdkkHIklamiCQLqtfkhhUkSocYtbQFOJXvaPBBmFWHIvwZHvnGYeaMxdGKwQjLaVvYevVyLQbWlTmKUQlkoOrQNMXdmPbTKgfXRhdoaqQapCNpsCJXvnFXBvXQemkXOdIyCpRptiJllMSdFsIjlywGJOWbpInDLB&VERSION=1.3.0
On 2020-02-01 18:33, nadiaspit wrote:
Hi,
I am a student of Cybersecurity Master at University of Pisa. My final
project work is about a Security Test of an installation of qgis server +
lizmap web client.
At a first analysis, I found out that lizmap web client is vulnerable to
"Buffer overflow attack"
https://www.owasp.org/index.php/Buffer_overflow_attack
The problem:
"Potential Buffer Overflow. The script closed the connection and threw
a 500
Internal Server Error"
The solution:
"Rewrite the background program using proper return length checking. This
will require a recompile of the background executable."
Here you can view theĀ report
<https://drive.google.com/file/d/12s-akDIr9s127kw6MSYKRp1ph29gY_u3/view?usp=sharing>
:
I also posted this question to Lizmap web client Github: Is Buffer
Overflow
vulnerability a false positive for Lizmap web client?
They suggested to ask to this group.
Any help would be very appreciated.
Kind Regards,
Nadia Spitilli
--
Sent from:
http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
J. Gustavo
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
