Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
I'd favor the more simple and safer approach. It's not that difficult for the user to validate the layers requested against the GetCapabilties response. MapServer itself does not return the name of the invalid layer, presumably for the exact same reason. Instead you get "msWMSLoadGetMapParams(): WMS server error. Invalid layer(s) given in the LAYERS parameter. A layer might be disabled for this request. Check wms/ows_enable_request settings.". Even, would you be willing to prepare a patch? Steve -Original Message- From: mapserver-users [mailto:mapserver-users-boun...@lists.osgeo.org] On Behalf Of Jeff McKenna Sent: Sunday, August 06, 2017 8:44 AM To: mapserver-users@lists.osgeo.org Subject: Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS On 2017-08-06 8:47 AM, Even Rouault wrote: > Beste / devs, > > adding the development list in CC. > > I can confirm the issue on latest mapcache master. The vulnerabililty is the > injection of a parameter value between XML comment markers <-- --> used for > the error message. When this parameter value starts with --> it ends up the > comment part and the rest of the value is then parsed as non-comment XML. > By skimming through the code it appears there are several similar instances in > this protocol and others as well. > > I can see 2 options to fix this: > - the safer one I think: do not return the invalid parameter value in the > error message, but just the parameter name. So returning "Invalid layer name" > instead of "Invalid layer {value_of_the_LAYER_parameter}". The important > information is the name of the erroneous parameter, not its value (the user > can figure it that himself) I think users need the {value_of_the_LAYER_parameter} Without that, it is impossible to debug with a large mapfile (with or without MapCache). > - a more risky one: sanitize the value that is going to be put inside XML > comments <-- --> . So that means at least removing --> sequences, but perhaps > other things too ? > > Even > -jeff -- Jeff McKenna MapServer Consulting and Training Services http://www.gatewaygeomatics.com/ ___ mapserver-users mailing list mapserver-users@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/mapserver-users ___ mapserver-users mailing list mapserver-users@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
On 2017-08-06 8:47 AM, Even Rouault wrote: Beste / devs, adding the development list in CC. I can confirm the issue on latest mapcache master. The vulnerabililty is the injection of a parameter value between XML comment markers <-- --> used for the error message. When this parameter value starts with --> it ends up the comment part and the rest of the value is then parsed as non-comment XML. By skimming through the code it appears there are several similar instances in this protocol and others as well. I can see 2 options to fix this: - the safer one I think: do not return the invalid parameter value in the error message, but just the parameter name. So returning "Invalid layer name" instead of "Invalid layer {value_of_the_LAYER_parameter}". The important information is the name of the erroneous parameter, not its value (the user can figure it that himself) I think users need the {value_of_the_LAYER_parameter} Without that, it is impossible to debug with a large mapfile (with or without MapCache). - a more risky one: sanitize the value that is going to be put inside XML comments <-- --> . So that means at least removing --> sequences, but perhaps other things too ? Even -jeff -- Jeff McKenna MapServer Consulting and Training Services http://www.gatewaygeomatics.com/ ___ mapserver-users mailing list mapserver-users@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
Beste / devs, adding the development list in CC. I can confirm the issue on latest mapcache master. The vulnerabililty is the injection of a parameter value between XML comment markers <-- --> used for the error message. When this parameter value starts with --> it ends up the comment part and the rest of the value is then parsed as non-comment XML. By skimming through the code it appears there are several similar instances in this protocol and others as well. I can see 2 options to fix this: - the safer one I think: do not return the invalid parameter value in the error message, but just the parameter name. So returning "Invalid layer name" instead of "Invalid layer {value_of_the_LAYER_parameter}". The important information is the name of the erroneous parameter, not its value (the user can figure it that himself) - a more risky one: sanitize the value that is going to be put inside XML comments <-- --> . So that means at least removing --> sequences, but perhaps other things too ? Even > Hello, > > I'm a student working on a school project that utilises mapserver 6.2 > installed from rpm on RedHat OS. My advisors are very concerned about the > security of the system. From the security reports, we obtained this XSS > vulnerability on the 'layer' parameter of WMTS service. > > http://example.com/mapcache/wmts/?SERVICE=WMTS= > GetTile=1.0.0=--%3E%3ca%20xml > > ns%3aa%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3e% > 3ca%3abody%20onload%3d%27alert()%27%2f > %3e%3c%2fa%3e=default=epsg3857=6=23& > TILECOL=38= > > I wonder if the newer versions of mapserver have this issue or is there any > way to solve it? > Any help would be appreciated. > > Beste -- Spatialys - Geospatial professional services http://www.spatialys.com ___ mapserver-users mailing list mapserver-users@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/mapserver-users