[mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
Jeff McKenna
jmckenna at gatewaygeomatics.com
Sun Aug 6 06:43:48 PDT 2017
On 2017-08-06 8:47 AM, Even Rouault wrote:
> Beste / devs,
>
> adding the development list in CC.
>
> I can confirm the issue on latest mapcache master. The vulnerabililty is the
> injection of a parameter value between XML comment markers <-- --> used for
> the error message. When this parameter value starts with --> it ends up the
> comment part and the rest of the value is then parsed as non-comment XML.
> By skimming through the code it appears there are several similar instances in
> this protocol and others as well.
>
> I can see 2 options to fix this:
> - the safer one I think: do not return the invalid parameter value in the
> error message, but just the parameter name. So returning "Invalid layer name"
> instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
> information is the name of the erroneous parameter, not its value (the user
> can figure it that himself)
I think users need the {value_of_the_LAYER_parameter} Without that, it
is impossible to debug with a large mapfile (with or without MapCache).
> - a more risky one: sanitize the value that is going to be put inside XML
> comments <-- --> . So that means at least removing --> sequences, but perhaps
> other things too ?
>
> Even
>
-jeff
--
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/
More information about the mapserver-users
mailing list