<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">You didn't provide enough information
to give specific recommendations. However, generally there are
some things you can do.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Look at the environment variables
MapServer supports for selecting the mapfile. If you let that
pass into the QUERYSTRING, someone can specify the map= paramater
multiple times and I'm not sure which one takes precedence.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Look for: </div>
<div class="moz-cite-prefix"> MS_MAPFILE</div>
<div class="moz-cite-prefix"> MS_MAPFILE_PATTERN</div>
<div class="moz-cite-prefix"> MS_MAP_NO_PATH<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Also, make sure you set the VALIDATION
blocks in your mapfiles for any substitution parameters you allow
in from the request.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">You should avoid allowing substitutions
into the DATA field (assuming here that SQL injection means your
mapfile is hitting a database without a fixed SQL statement).</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">As as a defense in depth measure, you
should make sure that the account MapServer uses to connect to
your database has the minimum privileges necessary (generally only
SELECT on a handful of tables).<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I'm not sure what running through that
script is getting you except for slowing down the response time
and opening you up to potential bugs in your script and bash. You
can set environment variables and filter based on method directly
in Apache (and I presume other common web servers as well).<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 11/25/19 4:19 AM, Sebastiano Laini
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:487fc53f105145b890c5dfbf0a0ddeef@BCExchange.BuchananComputing.co.uk">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We submitted our new system to a pen-test
and apparently is pretty easy to be infected by SQL-injection,
anyone came across this before?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We run the feature layer through a cgi-bin
request, see the script below<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#! /bin/sh<o:p></o:p></p>
<p class="MsoNormal">MAPSERV="/var/…/cgi-bin/mapserv"<o:p></o:p></p>
<p class="MsoNormal">MAPFILE="/var/…/twfeat.map"<o:p></o:p></p>
<p class="MsoNormal">if [ "${REQUEST_METHOD}" = "GET" ]; then<o:p></o:p></p>
<p class="MsoNormal"> if [ -z "${QUERY_STRING}" ]; then<o:p></o:p></p>
<p class="MsoNormal"> QUERY_STRING="map=${MAPFILE}"<o:p></o:p></p>
<p class="MsoNormal"> else<o:p></o:p></p>
<p class="MsoNormal">
QUERY_STRING="map=${MAPFILE}&${QUERY_STRING}"<o:p></o:p></p>
<p class="MsoNormal"> fi<o:p></o:p></p>
<p class="MsoNormal"> exec ${MAPSERV}<o:p></o:p></p>
<p class="MsoNormal">else<o:p></o:p></p>
<p class="MsoNormal"> echo "Sorry, I only understand GET
requests."<o:p></o:p></p>
<p class="MsoNormal">fi<o:p></o:p></p>
<p class="MsoNormal">exit 1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">how can you sanitize or implement security
layers?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind Regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-GB">Sebastiano
Laini<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-GB">Web
Developer<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-GB">Buchanan
Computing<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
mapserver-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mapserver-users@lists.osgeo.org">mapserver-users@lists.osgeo.org</a>
<a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/mapserver-users">https://lists.osgeo.org/mailman/listinfo/mapserver-users</a></pre>
</blockquote>
</body>
</html>