[mapguide-users] MapGuide Open Source 2.0 (Final)Possible SecurityIssue

Jason Birch Jason.Birch at nanaimo.ca
Wed Mar 19 18:49:45 EDT 2008


I have tried to duplicate this problem with:

 

-          Win2k3

-          MapGuide 2.0 Server Final, standard install on a clean
machine.

-          MapGuide 2.0 Web Extensions Final, in both IIS and Apache
(bundled) mode

-          Absolutely nothing in my repository, and a repository that
only has data and layer types.

 

I tried doing this in each of the scenarios:

 

http://testmap:8008/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATER
ESOURCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library://&TYPE=MapDefinitio
n&DEPTH=-1&COMPUTECHILDREN=1&FORMAT=text/xml&USERNAME=Anonymous

 

Which didn't fail, it output an empty XML entity.

 

This did not allow me to log in as Administrator using anything other
than the administrator password.

 

Andre, Rock, any ideas what the difference could be; why I can't
replicate this problem?  

 

There's not much point in putting a ticket in on this until I have a
scenario that the developers can use to track it down. 

 

Jason

 

From: mapguide-users-bounces at lists.osgeo.org
[mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Kenneth,
GEOGRAF A/S
Sent: Tuesday, March 11, 2008 02:08
To: MapGuide Users Mail List
Subject: Re: [mapguide-users] MapGuide Open Source 2.0 (Final)Possible
SecurityIssue

 

I have just tested this on my local machine (2.0 rc2), and I cannot log
in with any unapproved user.
I have multiple MapDefinitions.

I agree that it would be a security bug, but if it is only present when
there are no MapDefinitions in the repo, I would say it has almost no
pratical relevance.
Still, something must be wrong if it happens, and should be fixed.



Regards, Kenneth, GEOGRAF A/S



Jason Birch skrev: 

Seems nasty...

 

Have you had a chance to submit this as a ticket?

 

https://trac.osgeo.org/mapguide/wiki/SubmitTicket

 

Jason

 

From: mapguide-users-bounces at lists.osgeo.org
[mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Rock Beans
Sent: Wednesday, March 05, 2008 14:30
To: MapGuide Users Mail List
Subject: [mapguide-users] MapGuide Open Source 2.0 (Final) Possible
SecurityIssue

 

I figured out how to reproduce this problem. If you have no maps defined
or created yet and do the call below but use "TYPE=MapDefinition&" it
fails with default user Anonymous. Then it allows the user
"Administrator" with no password to do any OPERATION=ENUMERATERESOURCES.
You can also log into Studio using Administrator with any random
password as long as it is not blank. I find this to be a huge bug. Can
anyone else confirm this?



Original:
After pounding my head for 3 hours I figured out that that FCGI calls
where allowing the user name of Administrator with no password. Studio
was allowing me to log in to the site with the user name of
Administrator and any password since it doesn't allow blank passwords.
The strange thing is I can't log on to the Site Administrator PHP pages
with out the proper password through. Anyone else encounter this or have
any suggestions? I went into the Site Administrator and changed the
password for the Administrator user as well. The really strange thing
was the user Anonymous would not work as is should default out of the
box! It seemed every 3rd attempt with the Anonymous user would allow me
to get an XML list the others said bad user and password.

Example URL (replace localhost with computer/dns name):
http://localhost/mapguide/mapagent/mapagent.fcgi?OPERATION=ENUMERATERESO
URCES&VERSION=1.0.0&LOCALE=en&RESOURCEID=Library%3A%2F%2F&TYPE=&DEPTH=-1
&COMPUTECHILDREN=1&FORMAT=text%2Fxml&USERNAME=Administrator

Now I changed the password for the Administrator to something other than
"admin" and back for testing and everything works fine. I have no clue
what went wrong. I had a co-worker try the link above with "localhost"
replaced with my work group "computer name" and he was able to get right
in as explained above. Now after everything seems OK he cannot. So I am
not sure what caused this or what fixed this but watch out for this one.


The Rock 

 


________________________________



 
_______________________________________________
mapguide-users mailing list
mapguide-users at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapguide-users
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapguide-users/attachments/20080319/a0a1ebf3/attachment.html


More information about the mapguide-users mailing list