[mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS
Even Rouault
even.rouault at spatialys.com
Sun Aug 6 04:47:28 PDT 2017
Beste / devs,
adding the development list in CC.
I can confirm the issue on latest mapcache master. The vulnerabililty is the
injection of a parameter value between XML comment markers <-- --> used for
the error message. When this parameter value starts with --> it ends up the
comment part and the rest of the value is then parsed as non-comment XML.
By skimming through the code it appears there are several similar instances in
this protocol and others as well.
I can see 2 options to fix this:
- the safer one I think: do not return the invalid parameter value in the
error message, but just the parameter name. So returning "Invalid layer name"
instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
information is the name of the erroneous parameter, not its value (the user
can figure it that himself)
- a more risky one: sanitize the value that is going to be put inside XML
comments <-- --> . So that means at least removing --> sequences, but perhaps
other things too ?
Even
> Hello,
>
> I'm a student working on a school project that utilises mapserver 6.2
> installed from rpm on RedHat OS. My advisors are very concerned about the
> security of the system. From the security reports, we obtained this XSS
> vulnerability on the 'layer' parameter of WMTS service.
>
> http://example.com/mapcache/wmts/?SERVICE=WMTS&REQUEST=
> GetTile&VERSION=1.0.0&LAYER=--%3E%3ca%20xml
>
> ns%3aa%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3e%
> 3ca%3abody%20onload%3d%27alert(1111)%27%2f
> %3e%3c%2fa%3e&STYLE=default&TILEMATRIXSET=epsg3857&TILEMATRIX=6&TILEROW=23&
> TILECOL=38&FORMAT=
>
> I wonder if the newer versions of mapserver have this issue or is there any
> way to solve it?
> Any help would be appreciated.
>
> Beste
--
Spatialys - Geospatial professional services
http://www.spatialys.com
More information about the MapServer-users
mailing list