Hi all, A few days ago we have been informed about a security vulnerability in the Nominatim API. Today we have released updates for all affected Nominatim versions.
Today we have released new versions 3.4.2, 3.3.1 and 3.2.1 of Nominatim. If you have your own installation of Nominatim, you should update as soon as possible. What is the problem? The /details endpoint fails to properly sanitize user input and uses it as is in an SQL query. This allows an attacker to inject arbitrary SQL code including querying and updating the database. Which versions are affected? The code was added to Nominatim in April 2018. All releases since 3.2 are affected. The bug has been fixed in 3.4.2, 3.3.1 and 3.2.1. How is my installation affected? If you have followed the standard installation instructions, then the /details endpoint is available by default. The standard installation also adds a special user for the webserver which has only minimal read rights on the database. If you have not changed the rights, then the vulnerability can only be used to query the database. How should I fix it? If you don't need the details API, then you can simply delete the file `website/details.php` to remove the endpoint. Otherwise, you should install the appropriate update for your version. No changes to the database are necessary. Simply download and build the new version, copy over your `settings/local.php` file and point your webserver to the new version. A big thank you to @bladeswords for finding and reporting this. Kind regards Sarah _______________________________________________ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
