[mapserver-dev] Re: MapServer security issue
steve.lime at dnr.state.mn.us
Mon Nov 4 14:56:49 EST 2002
Thanks Jan, I'll forward this to the developers list for discussion.
fix would simply be to not allow changing of DATA via a URL.
Data & Applications Manager
500 Lafayette Road
St. Paul, MN 55155
>>> Jan Hartmann <jhart at frw.uva.nl> 11/04/02 06:43AM >>>
I wasn't sure whether this should be posted to any of the mapserver
lists, so I just send it to you personally. If you think more people
should have a look at it, please feel free to forward.
Has anyone thought about the following security risk in MapServer CGI:
MapServer reads its data files (GIS or raster) from a path specified by
the DATA statement in the LAYER section of the MapFile. This filename
usually hard-coded in the MapFile, but it can also be set with a
CGI-variable from the calling URL. Take for example a MapServer CGI
and a MapFile called default.map with the following items:
Usually you will create a map with an URL like:
which will display "map1.shp". However, it is perfectly possible to get
a map from this same MapServer with:
which can display any shapefile on your file system, within or without
your Web environment. The trouble is, this can done by everyone on the
Of course, you need to know an actual existing filename, and you only
get back read-only raster results, so the actual security risk is not
that big. However, IMO WebServers should NEVER have access to the
file system, however restricted this access might be, but only to
specifically designated file areas.
It wouldn't be too hard to stop this gap: just make something like
SHAPEPATH obligatory, not only for shapefiles, but also for OGR and
raster files. Existing applications could just add SHAPEPATH "/" or
SHAPEPATH "c:\", if they don't mind exposing their whole filesystem.
Others could use this as a sort of root location for their map-data,
shield everything they wouldn't wish to be been seen from the
Department of Geography,
University of Amsterdam
jhart at frw.uva.nl
More information about the mapserver-dev