[mapserver-dev] Re: MapServer security issue

Steve Lime steve.lime at dnr.state.mn.us
Tue Nov 19 15:11:46 EST 2002

Yes, I see that someone could leverage one mapfile in place of another.
The only thing
they could really get is a picture although with WMS there might be
more. But it seems 
that unless you're really are running on mutiple hosts with one
application per host
 there's not much that can be  done to stop it. You could create a
pattern  to restrict 
access but that would also  prevent legimate access.

I don't think there's much of a problem with disabling map= with
MS_MAPFILE set, but 
it alone probably won't do much to fix this hole since you're not going
unless you only have one application. A MapServer web hotel would
benefit, yes.

Should I make that change?


Stephen Lime
Data & Applications Manager

Minnesota DNR
500 Lafayette Road
St. Paul, MN 55155

>>> Daniel Morissette <morissette at dmsolutions.ca> 11/19/02 12:27PM >>>
Sorry to jump in the middle of this discussion... I still have several
messages to read in this thread and I'll try to read them and comment
soon as I can find the time.

In the meantime...

Steve Lime wrote:
> In your scenario what's the benefit to the hacker in choosing
> mapfile? They can't get at the contents, not through the MapServer
> and there's already a regex pattern applied to mapfile names. That
> pattern is in the source code as opposed to the environment but I
> see little value in something other than limiting the extension.

Imagine a server with multiple virtual hosts (or multiple apps) with
some apps serving public data, and some apps serving sensitive data
protected by some mechanism (e.g. password-protected using .htaccess
access restriction by IP address, or ???).

The hacker (or interested visitor) could use the mapserv CGI instance
installed on the public server to open a mapfile that belongs to one
the restricted applications.

After a quick read of his message I think that's what Jan is trying to
prevent, and I also see this as an important issue.  That's why I
initially proposed that we modify the mapserv CGI so that the map=
parameter is disabled, either by default at build time, or at least
the MS_MAPFILE env. var is set.

 Daniel Morissette               morissette at dmsolutions.ca 
 DM Solutions Group              http://www.dmsolutions.ca/ 

More information about the mapserver-dev mailing list