[QGIS-Developer] Potential vulnerabilities
Even Rouault
even.rouault at spatialys.com
Sun Feb 2 09:12:45 PST 2020
Nadia,
Thanks for investigating QGIS server security. However, I would expect a
vulnerability report to go a bit beyond than just using a generic security
scanner that can have false positives, especially here as all components
involved are open source so it is possible to look at the code, instrument it etc..
So a report should point to the exact line of code where the vulnerability
is triggered and/or provide an exploit.
For the long GET request, this is very very unlikely to be a buffer overflow.
Considering that the following is a valid request:
https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=WMS&VERSION=1.3.0&project=demogis&repository=demogis
And the same but with just FOO instead of WMS for the value of SERVICE leads to the 500 error:
https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=FOO&VERSION=1.3.0&project=demogis&repository=demogis
Looking at the error message, a bit of googling shows that it comes from LizMap
source code, not QGIS server:
https://github.com/3liz/lizmap-web-client/blob/master/lib/jelix/core/response/error.en_US.php
Furthermore Jelix is a PHP component, so not native code, hence buffer overflow
vulnerabilities leading to arbitrary code execution aren't relevant here (unless you'd
trigger a vulnerability of the PHP executable itself!)
I haven't look at the other things reported, but they are likely to be
LizMap specific rather than QGIS-server, unless otherwise proven.
Even
--
Spatialys - Geospatial professional services
http://www.spatialys.com
More information about the QGIS-Developer
mailing list