[mapserver-users] mapserver cgi-bin security
Jim Klassen
klassen.js at gmail.com
Fri Nov 29 11:51:24 PST 2019
You didn't provide enough information to give specific recommendations.
However, generally there are some things you can do.
Look at the environment variables MapServer supports for selecting the
mapfile. If you let that pass into the QUERYSTRING, someone can specify
the map= paramater multiple times and I'm not sure which one takes
precedence.
Look for:
MS_MAPFILE
MS_MAPFILE_PATTERN
MS_MAP_NO_PATH
Also, make sure you set the VALIDATION blocks in your mapfiles for any
substitution parameters you allow in from the request.
You should avoid allowing substitutions into the DATA field (assuming
here that SQL injection means your mapfile is hitting a database without
a fixed SQL statement).
As as a defense in depth measure, you should make sure that the account
MapServer uses to connect to your database has the minimum privileges
necessary (generally only SELECT on a handful of tables).
I'm not sure what running through that script is getting you except for
slowing down the response time and opening you up to potential bugs in
your script and bash. You can set environment variables and filter
based on method directly in Apache (and I presume other common web
servers as well).
On 11/25/19 4:19 AM, Sebastiano Laini wrote:
>
> Hi All,
>
> We submitted our new system to a pen-test and apparently is pretty
> easy to be infected by SQL-injection, anyone came across this before?
>
> We run the feature layer through a cgi-bin request, see the script below
>
> #! /bin/sh
>
> MAPSERV="/var/…/cgi-bin/mapserv"
>
> MAPFILE="/var/…/twfeat.map"
>
> if [ "${REQUEST_METHOD}" = "GET" ]; then
>
> if [ -z "${QUERY_STRING}" ]; then
>
> QUERY_STRING="map=${MAPFILE}"
>
> else
>
> QUERY_STRING="map=${MAPFILE}&${QUERY_STRING}"
>
> fi
>
> exec ${MAPSERV}
>
> else
>
> echo "Sorry, I only understand GET requests."
>
> fi
>
> exit 1
>
> how can you sanitize or implement security layers?
>
> Kind Regards,
>
> Sebastiano Laini
>
> Web Developer
>
> Buchanan Computing
>
>
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20191129/83c2d6b4/attachment.html>
More information about the mapserver-users
mailing list