[Mapserver-users] Mapserver Security Issues

Andrew Arace AArace at geonetics.com
Tue Jan 20 11:44:17 PST 2004


Michael Smith,
I have run into security concerns with IIS and cgi directories blocking
paths to .exe files.
There are two main things you need to do, 
First, if mapserver is running from a virtual directory (such as
Scripts) make sure that the virtual directory properties has "Scripts
and Executables" selected for execute rights.

Second is security issues with URLScan. 
It seems with IIS 5 on win2000,  there is a program that is installed
to protect your webserver from malformed URL attacks. the program is URL
Scan, and info can be found on the microsoft site here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp


It basically blocks any attempt to execute an EXE on the server, as
well as other malformed urls. You need to change a setting in the config
file, it is in your system23 dirctory, under 
inetsrv\urlscan

Read the microsoft documentation on the settings.

To secure my server, I allowed exe execution, but put cases into the
DenyUrlSequences section to deny any attempts for URL's to execute
'cmd.exe', or any url containing 'winnt' 'system32' etc. etc.

Hope this helps,
-Andrew


--
Andrew Arace
aarace at geonetics.com 
Software Engineer
Geonetics, Inc
(617) 896 - 4409

>>> "Michael Smith" <msmith at sanangelompo.org> 11:10:02 AM Tuesday,
January 20, 2004 >>>
Hi all,

I plan on running Mapserver on a Windows 2003 Server running IIS 6. 
What
security issues should be considered for running Mapserver since I
assume
many of you are currently hosting Mapserver on your webs.  Does anyone
have
and suggestions, considerations, or web sites with any info on this?

One issue my IT dept. suggested was housing my "data" directory outside
of
my IIS wwwroot folder...is this a security concern?

Michael Smith, Planner II
City of San Angelo
Planning & Development
325.657.4210 Fax: 325.481.2648
Email: msmith at sanangelompo.org 

_______________________________________________
Mapserver-users mailing list
Mapserver-users at lists.gis.umn.edu 
http://lists.gis.umn.edu/mailman/listinfo/mapserver-users 


Disclaimer Notice: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute, or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error free as information can be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard copy version. BSC Companies, Inc.; BSC Group, Inc.; Geonetics, Inc.; TerraSphere, Inc. 15 Elkins Street Boston, Massachusetts 02127 USA. www.BSCGroup.com. 
http://www.bscgroup.com/



More information about the MapServer-users mailing list