[mapserver-dev] Re: MapServer security issue

Steve Lime steve.lime at dnr.state.mn.us
Mon Nov 4 14:56:49 EST 2002 

Thanks Jan, I'll forward this to the developers list for discussion.
Another
fix would simply be to not allow changing of DATA via a URL. 

Steve

Stephen Lime
Data & Applications Manager

Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155
651-297-2937

>>> Jan Hartmann <jhart at frw.uva.nl> 11/04/02 06:43AM >>>
Hello Steve,

I wasn't sure whether this should be posted to any of the mapserver 
lists, so I just send it to you personally. If you think more people 
should have a look at it, please feel free to forward.

Jan

--------------------------------------------------------------------------

Has anyone thought about the following security risk in MapServer CGI:

MapServer reads its data files (GIS or raster) from a path specified by

the DATA statement in the LAYER section of the MapFile. This filename
is 
usually hard-coded in the MapFile, but it can also be set with a 
CGI-variable from the calling URL. Take for example a MapServer CGI 
running as

http://mapserver.mydomain.com/scripts/mapserv 

and a MapFile called default.map with the following items:

LAYER
   NAME map1
   DATA "/web/shapefiles/map1.shp"
   ...
   ...
   ...
END

Usually you will create a map with an URL like:

http://mapserver.mydomain.com/scripts/mapserv?map=default.map 

which will display "map1.shp". However, it is perfectly possible to get

a map from this same MapServer with:

http://mapserver.mydomain.com/scripts/mapserv?map=default.map&map_layer_0_data="any_local_file"

which can display any shapefile on your file system, within or without

your Web environment. The trouble is, this can done by everyone on the
Web.

Of course, you need to know an actual existing filename, and you only 
get back read-only raster results, so the actual security risk is not 
that big. However, IMO WebServers should NEVER  have access to the
whole 
file system, however restricted this access might be, but only to 
specifically designated file areas.

It wouldn't be too hard to stop this gap: just make something like 
SHAPEPATH obligatory, not only for shapefiles, but also for OGR and 
raster files. Existing applications could just add SHAPEPATH "/" or 
SHAPEPATH "c:\", if they don't mind exposing their whole filesystem. 
Others could use this as a sort of root location for their map-data,
and 
  shield everything they wouldn't wish to be been seen from the
outside.


Jan Hartmann
Department of Geography,
University of Amsterdam
jhart at frw.uva.nl

More information about the mapserver-dev mailing list