[mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS (mapcache)

Tue Aug 8 02:03:38 PDT 2017

On lundi 7 août 2017 19:40:58 CEST Even Rouault wrote:
> On lundi 7 août 2017 12:50:34 CEST Daniel Morissette wrote:
> > Would it not be sufficient to HTML-encode the values before sending them
> > out? In this case, the "-->" would become "-->" which would fix the
> > vulnerability. We use msEncodeHTMLEntities() for this in mapserv:
> > 
> > https://github.com/mapserver/mapserver/blob/branch-7-0/mapstring.c#L1225
> 
> As double hyphen is prohibited inside XML comments for compatiblity reason,
> I believe we should also (in that context, that alone should be sufficient)
> escape - as &45; (although entities aren't really "official" inside XML
> comments, but at least this is valid XML)
> 
> In other protocols, for example wms, I see the exception is wrapped in a
> <![CDATA[   bla ]] marker. I guess the reason was to avoid escaping the &
> entities from the user request. I think the wrapping inside [CDATA[ should
> be replaced by standard XML escaping ala msEncodeHTMLEntities()
> 
> Actually it seems only WMS and WMTS are affected. Other protocols return an
> error message as plaintext.

I've prepared a pull request in line with the above ideas :
https://github.com/mapserver/mapcache/pull/172

Review and testing from others appreciated.

I'm not completely sure that a XSS vulnerability in a Web browser is possible in the WMS case 
since the content-type is application/vnd.ogc.se_xml, which Firefox doesn't understand as 
XML. Contrary to the WMTS case where the content-type is application/xml. Anyway in the 
WMS case, the returned document could be invalid XML if injecting appropriate input values, 
so better fix it.

Even

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20170808/5ce7c7df/attachment.html>