[gdal-dev] OGR WCTS Security Issue / Migration To Spike
Frank Warmerdam
warmerdam at pobox.com
Tue Sep 16 22:33:17 PDT 2014
Folks,
Robert Coup has noticed a security problem with the OGR WCTS service. As I
am not aware of anyone using it, and it hasn't been maintained for a while,
I'm going to move it to "svn spike" from trunk and added a small warning
about it there. Anyone actually running this as a service may want to
review the notes added to the index.html and/or talk to Robert. If there
is desire to keep this in the GDAL/OGR distribution let me know and we
could work on a fix.
The brief (incomplete) description follows, and the code can now be found
at:
http://svn.osgeo.org/gdal/spike/wcts/
<h2><a id="security">Security Concern</a></h2>
The OGR WCTS server has been moved to "spike" due to lack of maintenance
and a non-trivial SSRF security bug. In light of this problem, it is
advised
that this service only be used with caution. Robert Coup describes it this
way:
<p>
<i>
If the WCTS stuff is compiled with -DHAVE_CURL, then the ogrwcts process is
vulnerable to SSRF. The wctsclient process (which looks to me like a cgi
server) is always vulnerable, since it doesn't care about -DHAVE_CURL.<p>
(a) Either passing in a user-supplied URL which isn't validated before
requesting it - this leaves "internal" http services which should only be
readable to the server readable to any client.<p>
(b) Using a redirect to the gopher protocol a client can send HTTP POST
requests or other payloads to any host accessible to the server. *Why* curl
enables the gopher protocol is beyond me, but it does.<p>
We can protect against (b) by disabling redirect-following
(CURLOPT_FOLLOWLOCATION=0). But we can't really protect against (a) at all
without adding some black/whitelist of IP addresses.<p>
Steps to reproduce:<p>
Overview:
<ol>
<li> send evil request to wctsclient or ogrwcts services
<li> wcts requests client-specified http url (via <FileUrl> in ogrwcts, or
WCTSServer/GMLURL in wctsclient)
<li> either that reveals private inf
</ol>
</i>
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam,
warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20140916/ecda85b2/attachment.html>
More information about the gdal-dev
mailing list