[mapserver-dev] Re: MapServer security issue

Steve Lime steve.lime at dnr.state.mn.us
Mon Nov 4 14:56:49 EST 2002

Thanks Jan, I'll forward this to the developers list for discussion.
fix would simply be to not allow changing of DATA via a URL. 


Stephen Lime
Data & Applications Manager

Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155

>>> Jan Hartmann <jhart at frw.uva.nl> 11/04/02 06:43AM >>>
Hello Steve,

I wasn't sure whether this should be posted to any of the mapserver 
lists, so I just send it to you personally. If you think more people 
should have a look at it, please feel free to forward.



Has anyone thought about the following security risk in MapServer CGI:

MapServer reads its data files (GIS or raster) from a path specified by

the DATA statement in the LAYER section of the MapFile. This filename
usually hard-coded in the MapFile, but it can also be set with a 
CGI-variable from the calling URL. Take for example a MapServer CGI 
running as


and a MapFile called default.map with the following items:

   NAME map1
   DATA "/web/shapefiles/map1.shp"

Usually you will create a map with an URL like:


which will display "map1.shp". However, it is perfectly possible to get

a map from this same MapServer with:


which can display any shapefile on your file system, within or without

your Web environment. The trouble is, this can done by everyone on the

Of course, you need to know an actual existing filename, and you only 
get back read-only raster results, so the actual security risk is not 
that big. However, IMO WebServers should NEVER  have access to the
file system, however restricted this access might be, but only to 
specifically designated file areas.

It wouldn't be too hard to stop this gap: just make something like 
SHAPEPATH obligatory, not only for shapefiles, but also for OGR and 
raster files. Existing applications could just add SHAPEPATH "/" or 
SHAPEPATH "c:\", if they don't mind exposing their whole filesystem. 
Others could use this as a sort of root location for their map-data,
  shield everything they wouldn't wish to be been seen from the

Jan Hartmann
Department of Geography,
University of Amsterdam
jhart at frw.uva.nl 

More information about the mapserver-dev mailing list