Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
I'd favor the more simple and safer approach. It's not that difficult for the
user to validate the layers requested against the GetCapabilties response.
MapServer itself does not return the name of the invalid layer, presumably for
the exact same reason. Instead you get "msWMSLoadGetMapParams(): WMS server
error. Invalid layer(s) given in the LAYERS parameter. A layer might be
disabled for this request. Check wms/ows_enable_request settings.".
Even, would you be willing to prepare a patch?
Steve
-Original Message-
From: mapserver-users [mailto:mapserver-users-boun...@lists.osgeo.org] On
Behalf Of Jeff McKenna
Sent: Sunday, August 06, 2017 8:44 AM
To: mapserver-users@lists.osgeo.org
Subject: Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of
WMTS
On 2017-08-06 8:47 AM, Even Rouault wrote:
> Beste / devs,
>
> adding the development list in CC.
>
> I can confirm the issue on latest mapcache master. The vulnerabililty is the
> injection of a parameter value between XML comment markers <-- --> used for
> the error message. When this parameter value starts with --> it ends up the
> comment part and the rest of the value is then parsed as non-comment XML.
> By skimming through the code it appears there are several similar instances in
> this protocol and others as well.
>
> I can see 2 options to fix this:
> - the safer one I think: do not return the invalid parameter value in the
> error message, but just the parameter name. So returning "Invalid layer name"
> instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
> information is the name of the erroneous parameter, not its value (the user
> can figure it that himself)
I think users need the {value_of_the_LAYER_parameter} Without that, it
is impossible to debug with a large mapfile (with or without MapCache).
> - a more risky one: sanitize the value that is going to be put inside XML
> comments <-- --> . So that means at least removing --> sequences, but perhaps
> other things too ?
>
> Even
>
-jeff
--
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
On 2017-08-06 8:47 AM, Even Rouault wrote:
Beste / devs,
adding the development list in CC.
I can confirm the issue on latest mapcache master. The vulnerabililty is the
injection of a parameter value between XML comment markers <-- --> used for
the error message. When this parameter value starts with --> it ends up the
comment part and the rest of the value is then parsed as non-comment XML.
By skimming through the code it appears there are several similar instances in
this protocol and others as well.
I can see 2 options to fix this:
- the safer one I think: do not return the invalid parameter value in the
error message, but just the parameter name. So returning "Invalid layer name"
instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
information is the name of the erroneous parameter, not its value (the user
can figure it that himself)
I think users need the {value_of_the_LAYER_parameter} Without that, it
is impossible to debug with a large mapfile (with or without MapCache).
- a more risky one: sanitize the value that is going to be put inside XML
comments <-- --> . So that means at least removing --> sequences, but perhaps
other things too ?
Even
-jeff
--
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
Beste / devs,
adding the development list in CC.
I can confirm the issue on latest mapcache master. The vulnerabililty is the
injection of a parameter value between XML comment markers <-- --> used for
the error message. When this parameter value starts with --> it ends up the
comment part and the rest of the value is then parsed as non-comment XML.
By skimming through the code it appears there are several similar instances in
this protocol and others as well.
I can see 2 options to fix this:
- the safer one I think: do not return the invalid parameter value in the
error message, but just the parameter name. So returning "Invalid layer name"
instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
information is the name of the erroneous parameter, not its value (the user
can figure it that himself)
- a more risky one: sanitize the value that is going to be put inside XML
comments <-- --> . So that means at least removing --> sequences, but perhaps
other things too ?
Even
> Hello,
>
> I'm a student working on a school project that utilises mapserver 6.2
> installed from rpm on RedHat OS. My advisors are very concerned about the
> security of the system. From the security reports, we obtained this XSS
> vulnerability on the 'layer' parameter of WMTS service.
>
> http://example.com/mapcache/wmts/?SERVICE=WMTS=
> GetTile=1.0.0=--%3E%3ca%20xml
>
> ns%3aa%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3e%
> 3ca%3abody%20onload%3d%27alert()%27%2f
> %3e%3c%2fa%3e=default=epsg3857=6=23&
> TILECOL=38=
>
> I wonder if the newer versions of mapserver have this issue or is there any
> way to solve it?
> Any help would be appreciated.
>
> Beste
--
Spatialys - Geospatial professional services
http://www.spatialys.com
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users
