Hi Evevn, thanks for the review. To be fair, original report from Nadia was indeed against Lizmap. Cheers.
Il 02/02/20 18:12, Even Rouault ha scritto: > Nadia, > > Thanks for investigating QGIS server security. However, I would expect a > vulnerability report to go a bit beyond than just using a generic security > scanner that can have false positives, especially here as all components > involved are open source so it is possible to look at the code, instrument it > etc.. > So a report should point to the exact line of code where the vulnerability > is triggered and/or provide an exploit. > > For the long GET request, this is very very unlikely to be a buffer overflow. > > Considering that the following is a valid request: > https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=WMS&VERSION=1.3.0&project=demogis&repository=demogis > > And the same but with just FOO instead of WMS for the value of SERVICE leads > to the 500 error: > https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=FOO&VERSION=1.3.0&project=demogis&repository=demogis > > Looking at the error message, a bit of googling shows that it comes from > LizMap > source code, not QGIS server: > https://github.com/3liz/lizmap-web-client/blob/master/lib/jelix/core/response/error.en_US.php > > Furthermore Jelix is a PHP component, so not native code, hence buffer > overflow > vulnerabilities leading to arbitrary code execution aren't relevant here > (unless you'd > trigger a vulnerability of the PHP executable itself!) > > I haven't look at the other things reported, but they are likely to be > LizMap specific rather than QGIS-server, unless otherwise proven. > > Even > -- Paolo Cavallini - www.faunalia.eu QGIS.ORG Chair: http://planet.qgis.org/planet/user/28/tag/qgis%20board/ _______________________________________________ QGIS-Developer mailing list [email protected] List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
