[mapguide-users] RE: MG Security question

Trevor Wekel trevor_wekel at otxsystems.com
Wed Aug 26 20:40:02 EDT 2009


Here are a few other suggestions for hardening the security on a production MapGuide site:

Remove the server admin pages (www/mapadmin) and the HTTP test pages (www/mapagent/*.html, *.js, *.php).  All of these pages require authentication but they do give a lot of information to anyone who can figure out the credentials.  Even the "Anonymous" user account has access to the HTTP test pages with the default security setup.

Disable all of the HTTP "author role" commands by adding the following to www/webconfig.ini
[AgentProperties]
DisableAuthoring = 1

Disabling authoring kills Maestro and Autodesk MapGuide Studio.  If you are only running one box, you can set up a second private instance of the web extensions with authoring enabled by installing a second HTTP Server (Apache or IIS) and then installing the web extensions on that server.  Both web servers can point at the same MapGuide Server.

If you are not using WMS or WFS, you can also disable serving of these protocols with
[AgentProperties]
DisableWfs = 1
DisableWms = 1

Thanks,
Trevor

From: mapguide-users-bounces at lists.osgeo.org [mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Homan, Thomas
Sent: August 26, 2009 4:14 PM
To: MapGuide Users Mail List
Subject: RE: [mapguide-users] RE: MG Security question

Thanks for the response Bruce.

Changing the admin password was the first thing I did and that brought about my noticing that serveradminhelper was failing and yes I would completely agree a dialog is warranted. I am mostly fishing for any other known security defencies without a complete code review.

Tom

________________________________
From: mapguide-users-bounces at lists.osgeo.org [mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Bruce Dechant
Sent: Wednesday, August 26, 2009 2:58 PM
To: MapGuide Users Mail List
Subject: [mapguide-users] RE: MG Security question
Tom,

I don't know of any document describing the security of MGOS.

In regards to your concern over serveradminhelper it is hard coded to use the default administrator user name and password - so credentials are still required just no dialog. If you plan on using MGOS or any other system that uses logon credentials it is always recommended that you change the default administrator credentials. However, I do think that the serveradminhelper pages need to be updated so that credentials are asked in a dialog instead of being hard coded.

Thanks,
Bruce

From: mapguide-users-bounces at lists.osgeo.org [mailto:mapguide-users-bounces at lists.osgeo.org] On Behalf Of Homan, Thomas
Sent: Wednesday, August 26, 2009 11:23 AM
To: mapguide-users at lists.osgeo.org
Subject: [mapguide-users] MG Security question


Hello,

Does there happen to be a doc/wiki relating to security on MGOS?

I'm hoping to find something that details the obvious security holes like where the 'serveradminhelper.(php/aspx/jsp) is called from mapagent/index.html ---> Server Admin and allows someone to take the MG server offline without having to enter any credentials. By default install that tidbit is exposed to the public for their entertainment.

I'd like to know any of the other suprises that I don't yet know about as well.

Thanks in advance

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapguide-users/attachments/20090826/4aa59fff/attachment.html


More information about the mapguide-users mailing list