[mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS

Lime, Steve D (MNIT) steve.lime at state.mn.us
Mon Aug 7 08:20:01 PDT 2017 

I'd favor the more simple and safer approach. It's not that difficult for the user to validate the layers requested against the GetCapabilties response. MapServer itself does not return the name of the invalid layer, presumably for the exact same reason. Instead you get "msWMSLoadGetMapParams(): WMS server error. Invalid layer(s) given in the LAYERS parameter. A layer might be disabled for this request. Check wms/ows_enable_request settings.".

Even, would you be willing to prepare a patch?

Steve

-----Original Message-----
From: mapserver-users [mailto:mapserver-users-bounces at lists.osgeo.org] On Behalf Of Jeff McKenna
Sent: Sunday, August 06, 2017 8:44 AM
To: mapserver-users at lists.osgeo.org
Subject: Re: [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS

On 2017-08-06 8:47 AM, Even Rouault wrote:
> Beste / devs,
> 
> adding the development list in CC.
> 
> I can confirm the issue on latest mapcache master. The vulnerabililty is the
> injection of a parameter value between XML comment markers <-- --> used for
> the error message. When this parameter value starts with --> it ends up the
> comment part and the rest of the value is then parsed as non-comment XML.
> By skimming through the code it appears there are several similar instances in
> this protocol and others as well.
> 
> I can see 2 options to fix this:
> - the safer one I think: do not return the invalid parameter value in the
> error message, but just the parameter name. So returning "Invalid layer name"
> instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
> information is the name of the erroneous parameter, not its value (the user
> can figure it that himself)

I think users need the {value_of_the_LAYER_parameter}  Without that, it 
is impossible to debug with a large mapfile (with or without MapCache).

> - a more risky one: sanitize the value that is going to be put inside XML
> comments <--  --> . So that means at least removing --> sequences, but perhaps
> other things too ?
> 
> Even
> 

-jeff





-- 
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/
_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

More information about the mapserver-dev mailing list