[mapserver-users] mapserver cgi-bin security
Sebastiano Laini
Sebastiano.Laini at BuchananComputing.co.uk
Mon Nov 25 02:19:02 PST 2019
Hi All,
We submitted our new system to a pen-test and apparently is pretty easy to be infected by SQL-injection, anyone came across this before?
We run the feature layer through a cgi-bin request, see the script below
#! /bin/sh
MAPSERV="/var/.../cgi-bin/mapserv"
MAPFILE="/var/.../twfeat.map"
if [ "${REQUEST_METHOD}" = "GET" ]; then
if [ -z "${QUERY_STRING}" ]; then
QUERY_STRING="map=${MAPFILE}"
else
QUERY_STRING="map=${MAPFILE}&${QUERY_STRING}"
fi
exec ${MAPSERV}
else
echo "Sorry, I only understand GET requests."
fi
exit 1
how can you sanitize or implement security layers?
Kind Regards,
Sebastiano Laini
Web Developer
Buchanan Computing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20191125/cf4a1251/attachment.html>
More information about the mapserver-users
mailing list