[mapserver-dev] Re: MapServer security issue

Steve Lime steve.lime at dnr.state.mn.us
Tue Nov 19 15:11:46 EST 2002 

Yes, I see that someone could leverage one mapfile in place of another.
The only thing
they could really get is a picture although with WMS there might be
more. But it seems 
that unless you're really are running on mutiple hosts with one
application per host
 there's not much that can be  done to stop it. You could create a
pattern  to restrict 
access but that would also  prevent legimate access.

I don't think there's much of a problem with disabling map= with
MS_MAPFILE set, but 
it alone probably won't do much to fix this hole since you're not going
to use MS_MAPFILE
unless you only have one application. A MapServer web hotel would
benefit, yes.

Should I make that change?

Steve

Stephen Lime
Data & Applications Manager

Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155
651-297-2937

>>> Daniel Morissette <morissette at dmsolutions.ca> 11/19/02 12:27PM >>>
Sorry to jump in the middle of this discussion... I still have several
messages to read in this thread and I'll try to read them and comment
as
soon as I can find the time.

In the meantime...

Steve Lime wrote:
> 
> In your scenario what's the benefit to the hacker in choosing
another
> mapfile? They can't get at the contents, not through the MapServer
> and there's already a regex pattern applied to mapfile names. That
> pattern is in the source code as opposed to the environment but I
> see little value in something other than limiting the extension.
> 

Imagine a server with multiple virtual hosts (or multiple apps) with
some apps serving public data, and some apps serving sensitive data
protected by some mechanism (e.g. password-protected using .htaccess
or
access restriction by IP address, or ???).

The hacker (or interested visitor) could use the mapserv CGI instance
installed on the public server to open a mapfile that belongs to one
of
the restricted applications.

After a quick read of his message I think that's what Jan is trying to
prevent, and I also see this as an important issue.  That's why I
initially proposed that we modify the mapserv CGI so that the map=
parameter is disabled, either by default at build time, or at least
when
the MS_MAPFILE env. var is set.

Daniel
-- 
------------------------------------------------------------
 Daniel Morissette               morissette at dmsolutions.ca 
 DM Solutions Group              http://www.dmsolutions.ca/ 
------------------------------------------------------------

More information about the mapserver-dev mailing list