[MapProxy] MapProxy 1.10.4 release with XSS fix in demo service
Oliver Tonnhofer
olt at omniscale.de
Thu Aug 17 23:55:44 PDT 2017
Hello,
a security audit found a Cross Site Scripting (XSS) issue in the demo service.
A targeted[0], non-persistent Cross Site Scripting attack could use this issue for information disclosure. This is _not_ a disclosure of any information on the server (like files, etc.).
Refer to https://en.wikipedia.org/wiki/Cross-site_scripting
[0] An attacker manages that a user logged in on example.com/app clicks on a prepared link to example.com/mapproxy/demo. JavaScript code in the prepared link can read session cookies from the user.
You are advised to disable the demo service or to update MapProxy to 1.10.4, if you are unsure whether this is a risk in your specific installation.
For reference: https://github.com/mapproxy/mapproxy/issues/322
Regards,
Oliver
--
Oliver Tonnhofer | Omniscale GmbH & Co KG | https://omniscale.com
OpenStreetMap WMS and tile services | https://maps.omniscale.com
More information about the MapProxy
mailing list