[mapserver-dev] Re: MapServer security issue
Daniel Morissette
morissette at dmsolutions.ca
Tue Nov 19 13:27:51 EST 2002
Sorry to jump in the middle of this discussion... I still have several
messages to read in this thread and I'll try to read them and comment as
soon as I can find the time.
In the meantime...
Steve Lime wrote:
>
> In your scenario what's the benefit to the hacker in choosing another
> mapfile? They can't get at the contents, not through the MapServer
> and there's already a regex pattern applied to mapfile names. That
> pattern is in the source code as opposed to the environment but I
> see little value in something other than limiting the extension.
>
Imagine a server with multiple virtual hosts (or multiple apps) with
some apps serving public data, and some apps serving sensitive data
protected by some mechanism (e.g. password-protected using .htaccess or
access restriction by IP address, or ???).
The hacker (or interested visitor) could use the mapserv CGI instance
installed on the public server to open a mapfile that belongs to one of
the restricted applications.
After a quick read of his message I think that's what Jan is trying to
prevent, and I also see this as an important issue. That's why I
initially proposed that we modify the mapserv CGI so that the map=
parameter is disabled, either by default at build time, or at least when
the MS_MAPFILE env. var is set.
Daniel
--
------------------------------------------------------------
Daniel Morissette morissette at dmsolutions.ca
DM Solutions Group http://www.dmsolutions.ca/
------------------------------------------------------------
More information about the mapserver-dev
mailing list