[mapserver-dev] Re: MapServer security issue

Daniel Morissette morissette at dmsolutions.ca
Tue Nov 19 13:27:51 EST 2002

Sorry to jump in the middle of this discussion... I still have several
messages to read in this thread and I'll try to read them and comment as
soon as I can find the time.

In the meantime...

Steve Lime wrote:
> In your scenario what's the benefit to the hacker in choosing another
> mapfile? They can't get at the contents, not through the MapServer
> and there's already a regex pattern applied to mapfile names. That
> pattern is in the source code as opposed to the environment but I
> see little value in something other than limiting the extension.

Imagine a server with multiple virtual hosts (or multiple apps) with
some apps serving public data, and some apps serving sensitive data
protected by some mechanism (e.g. password-protected using .htaccess or
access restriction by IP address, or ???).

The hacker (or interested visitor) could use the mapserv CGI instance
installed on the public server to open a mapfile that belongs to one of
the restricted applications.

After a quick read of his message I think that's what Jan is trying to
prevent, and I also see this as an important issue.  That's why I
initially proposed that we modify the mapserv CGI so that the map=
parameter is disabled, either by default at build time, or at least when
the MS_MAPFILE env. var is set.

 Daniel Morissette               morissette at dmsolutions.ca
 DM Solutions Group              http://www.dmsolutions.ca/

More information about the mapserver-dev mailing list