[QGIS-Developer] Potential vulnerabilities
Paolo Cavallini
cavallini at faunalia.it
Sun Feb 2 09:34:11 PST 2020
Hi Evevn,
thanks for the review. To be fair, original report from Nadia was indeed
against Lizmap.
Cheers.
Il 02/02/20 18:12, Even Rouault ha scritto:
> Nadia,
>
> Thanks for investigating QGIS server security. However, I would expect a
> vulnerability report to go a bit beyond than just using a generic security
> scanner that can have false positives, especially here as all components
> involved are open source so it is possible to look at the code, instrument it etc..
> So a report should point to the exact line of code where the vulnerability
> is triggered and/or provide an exploit.
>
> For the long GET request, this is very very unlikely to be a buffer overflow.
>
> Considering that the following is a valid request:
> https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=WMS&VERSION=1.3.0&project=demogis&repository=demogis
>
> And the same but with just FOO instead of WMS for the value of SERVICE leads to the 500 error:
> https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=FOO&VERSION=1.3.0&project=demogis&repository=demogis
>
> Looking at the error message, a bit of googling shows that it comes from LizMap
> source code, not QGIS server:
> https://github.com/3liz/lizmap-web-client/blob/master/lib/jelix/core/response/error.en_US.php
>
> Furthermore Jelix is a PHP component, so not native code, hence buffer overflow
> vulnerabilities leading to arbitrary code execution aren't relevant here (unless you'd
> trigger a vulnerability of the PHP executable itself!)
>
> I haven't look at the other things reported, but they are likely to be
> LizMap specific rather than QGIS-server, unless otherwise proven.
>
> Even
>
--
Paolo Cavallini - www.faunalia.eu
QGIS.ORG Chair:
http://planet.qgis.org/planet/user/28/tag/qgis%20board/
More information about the QGIS-Developer
mailing list