[mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS (mapcache)
Lime, Steve D (MNIT)
steve.lime at state.mn.us
Tue Aug 8 11:15:32 PDT 2017
Thanks for doing this, I will review after my day job ends. I suppose I need to request a CVE id? Packagers seem to appreciate that. --Steve
From: mapserver-dev [mailto:mapserver-dev-bounces at lists.osgeo.org] On Behalf Of Even Rouault
Sent: Tuesday, August 08, 2017 4:04 AM
To: mapserver-dev at lists.osgeo.org
Cc: Beste Seymen <besteseymen at sabanciuniv.edu>; Daniel Morissette <dmorissette at mapgears.com>
Subject: Re: [mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS (mapcache)
On lundi 7 août 2017 19:40:58 CEST Even Rouault wrote:
> On lundi 7 août 2017 12:50:34 CEST Daniel Morissette wrote:
> > Would it not be sufficient to HTML-encode the values before sending them
> > out? In this case, the "-->" would become "-->" which would fix the
> > vulnerability. We use msEncodeHTMLEntities() for this in mapserv:
> >
> > https://github.com/mapserver/mapserver/blob/branch-7-0/mapstring.c#L1225
>
> As double hyphen is prohibited inside XML comments for compatiblity reason,
> I believe we should also (in that context, that alone should be sufficient)
> escape - as &45; (although entities aren't really "official" inside XML
> comments, but at least this is valid XML)
>
> In other protocols, for example wms, I see the exception is wrapped in a
> <![CDATA[ bla ]] marker. I guess the reason was to avoid escaping the &
> entities from the user request. I think the wrapping inside [CDATA[ should
> be replaced by standard XML escaping ala msEncodeHTMLEntities()
>
> Actually it seems only WMS and WMTS are affected. Other protocols return an
> error message as plaintext.
I've prepared a pull request in line with the above ideas :
https://github.com/mapserver/mapcache/pull/172
Review and testing from others appreciated.
I'm not completely sure that a XSS vulnerability in a Web browser is possible in the WMS case since the content-type is application/vnd.ogc.se_xml, which Firefox doesn't understand as XML. Contrary to the WMTS case where the content-type is application/xml. Anyway in the WMS case, the returned document could be invalid XML if injecting appropriate input values, so better fix it.
Even
--
Spatialys - Geospatial professional services
http://www.spatialys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20170808/a364cf5e/attachment-0001.html>
More information about the mapserver-dev
mailing list