[MapProxy] MapProxy 1.11.1 release with XSS fix in demo service

Oliver Tonnhofer olt at omniscale.de
Tue Aug 6 01:55:38 PDT 2019


a security audit by Janek Vind found a Cross Site Scripting (XSS) issue in the demo service. This is related to a previous XSS fix which did not cover all cases. 

A targeted[0], non-persistent Cross Site Scripting attack could use this issue for information disclosure. This is _not_ a disclosure of any information on the server (like files, etc.).
Refer to https://en.wikipedia.org/wiki/Cross-site_scripting

[0] An attacker manages that a user logged in on example.com/app clicks on a prepared link to example.com/mapproxy/demo. JavaScript code in the prepared link can read session cookies from the user.

You are advised to disable the demo service or to update MapProxy to 1.11.1, if you are unsure whether this is a risk in your specific installation.
The upcoming 1.12.0 release will also contain this fix.

For reference: https://github.com/mapproxy/mapproxy/issues/322


Oliver Tonnhofer  | Omniscale GmbH & Co KG  | https://omniscale.com
OpenStreetMap WMS and tile services         | https://maps.omniscale.com

More information about the MapProxy mailing list