[Geomoose-users] Security Advisory for MS4W users

James Klassen klassen.js at gmail.com
Wed Mar 31 14:29:41 PDT 2021


I was going to ask you about the preferred way to handling this on MS4W to
update the docs and/or MS4W package but got busy with other tasks today.

It seems like something that should be in the httpd.conf for the geomoose
package, but that might conflict with other installed apps.

One thing that might work well across multiple uncoordinated apps is how
I've been installing mapserver on most of my servers where the mapfile
controls the URL instead of /cgi-bin/mapserv.  Then since apache sees the
actual mapfile paths, you can set MS_MAP_NOPATH and MS_MAPFILE (I'm working
from memory now so I probably got the names wrong, but hopefully it still
makes sense) environment variables and use the standard <Directory> and
<File> apache directives to limit what is accessible (potentially different
per user).

This does change the URLs though so apps would have to be reconfigured for
it.

I'll forward details when I get back to my main computer.

On Wed, Mar 31, 2021, 15:02 Jeff McKenna <jmckenna at gatewaygeomatics.com>
wrote:

> Dear GeoMoose community, please see the message below for those running
> MS4W (or MapServer on any operating system) on public-facing servers.
> thank-you.
>
>
>
> -------- Forwarded Message --------
>
> Hello everyone,
>
> As the security of MS4W on your public-facing server is important,
> please take some time to review the possible security steps to enable
> for MS4W at:
> https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation You
> will notice MS4W examples, as well as instructions to use an online tool
> for testing your MS4W instance.
>
> As stated there, setting the *MS_MAP_PATTERN* environment variable is
> strongly recommended for your server instance.
>
> The past few weeks (and especially the past few days, which were full of
> intense regular expression testing) I have been working with Steve Lime
> closely and other MapServer steering committee members, to release the
> security advisory for MapServer:
> https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html
>
> Future MS4W releases will likely be tighter, with definitely the popular
> .exe installer setting & enabling the *MS_MAP_PATTERN* regular
> expression on-the-fly, for new installations, as well as providing a few
> default settings in the distributed Apache httpd.conf file.
>
> MS4W security is my priority, always has been, and I hope the examples
> and expressions that I provided in the MS4W readme above, help everyone
> implement, and take some of the fear of expressions away.
>
> Thank-you all.
>
>
> --
> Thank-you for using MS4W.
> "MS4W: open doors as well as windows"
>
> -jeff
>
>
> --
> Jeff McKenna
> GatewayGeo: Developers of MS4W, MapServer Consulting and Training
> co-founder of FOSS4G
> http://gatewaygeo.com/
>
>
>
>
>
>
> _______________________________________________
> Geomoose-users mailing list
> Geomoose-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geomoose-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-users/attachments/20210331/af93e051/attachment.html>


More information about the Geomoose-users mailing list