[QGIS-Developer] Potential vulnerabilities
Jonathan Moules
jonathan-lists at lightpear.com
Sun Feb 2 05:21:10 PST 2020
Hi Jorge,
I don't run QGIS server, I was basing that on the original report by
Nadia to the list which shows a 500 response for that request to their box.
But yes, testing that URL against some (ostensibly) QGIS servers I can
find online, it does seem to work as expected. Not sure why Nadia got a
500 back...
Cheers,
Jonathan
On 2020-02-01 21:58, Jorge Gustavo Rocha wrote:
> Hi Jonathan,
>
> If the service is unknown, my QGIS Server reports:
>
> <ServiceExceptionReport version="1.3.0" xmlns="http://www.opengis.net/ogc">
> <ServiceException code="Service configuration error">Service unknown or
> unsupported</ServiceException>
> </ServiceExceptionReport>
>
> Which QGIS Server are you using? Have you filled a bug?
>
> Your help is appreciated :-)
>
> Regards,
>
> Jorge Gustavo
>
> On 01/02/20 21:25, Jonathan Moules wrote:
>> I can't comment on the security aspect, but at the very least there's a
>> bug in the WMS compliance. For the GetCapabilities URL it should be
>> returning an XML Service Exception (because it has an invalid SERVICE
>> value), not a HTTP 500.
>>
>> I.e., the same request to a (random) GeoServer box shows the sort of
>> thing that should be coming back:
>>
>> http://si.icnf.pt/geoserver/POEM/ows?REQUEST=GetCapabilities&SERVICE=oGMQJLiHSupcMsIjmfMWZQISJOeWgvtonUKYRXwmroNKJMFRYPEnEZPkowATaGjkELTRHGnDntktuVJGaLGTcBeUUJdggwCZNQVmwtAGVOJnxxYRNoCsJqtRfbPjwKjegCwdCLmaYrUVJabXtdkmZeHXsNLjhpdJhbQOYeXwwOIZwVROYYKwXRZxkjXoeGJvmswRUKPNRMhLLkMQtoLmSfPNrQXYHtuPEuKpFIpFccNsEgRbYndKFXiFpnZqJERjSJreOgtxNGcisVVbPVvfplvDRyRbsKbFnPcmlliuCAyoDmYOffSDlAWUApgewpAiJXXdwLDDYbkPaAiqMNkqPfqkIBxhirwdeQEQmTtBeDYIbGYNbGKPxSOYDRhgiGrGPElskHmqCCUaETOPHTPEXMArEpPNYZyJoChNatgYaPfcqIRjwCwDkmMVgUdlxGWgqXxGZwrgeantfXPvxkacZQLKPwlemJfeOuvIVfZrBiwWtIoybuuQAqapuFJBDuZHtMlaIJemxOjPiefmgMSXOpoSwFAipLYwqVApjJtmbOqUBORkfqesknejRvSFQwmCYlHigIZNpBIAINfVVUxtjHekDrJMdYVNgAiZUNUYSnbSyPrFTWiYmrnFUcqnteOMEogsxDXMlbNLBcMCLwDZJCQLblDTElqcWxmcoKiZGBPqTJuSjIPimsfYklNdmIcnwsGdESbaOhtvVwRcoFIKAAninLCqKfsKFXqDfEwNCkXXRFvbcjnXggYywEynhweSdrvbCngwJtceGDAOlQQqCBhgjHmcuSrCUKwBJOeEToYIhTQCgEdBVpIlCYmIBPsNPLIedfITOfincEBqLscQJNktKIvpfgkQFhLOtiyslSKdGkjCCnYYDNVBrTDJsYxELKJcXlJLUMTBOChSpTsfgZMqKtXLkbMOnulrWQLJhwIElLJZhnQDjfmUvsDiVDAEavsGhUXSYlxbPROgZQElKUIXNBGEmducbcREVLjNoZvlNpxcWnVwhNlKOfSZBREGUZXLRfhEloTuZLPphUaEPpydHoHpcNKhVjqsKfQofaaVTAfDwXoUWQtmQaRSAEdwxCdIqllTvObUFcsdyfGqHRQFDGFvHUdeNuTWhIbgDhcTGnJBTxytfHWvQNjSqSGCBDGNPQJaclWFUHPIjAkbvDxRtqFjwtoVOtfYkbiKVbqcphyngrfcxLkGQpHjSldaqekhLoAYGbkXHdnyeKIraNcalFLUvrEKSVYoNpGoZHrKpDckZJSnPHiMIeaOrTCKRWbNcrSDrddeVIqSfSRIILuZpYnpFLJCyYxVGnRonXgCSEqQXcZreffnyaFvkaFcJyyuCivsGMHGhVViEetLWxPEnFsFGuuHFmlIJCtoyyikChSxeMrKxhZoQanBBfexwUjsjAiLUOLnhYmlyuJlsENAoMDiFbbrcfpXeyqnkJOgmCwYakTGegcbpywwAVYJSQtblnWZhfccMksXoHhkXqqbZxYgAsNwPGbJukfaGZakiImInKPoSwvCXXvpqawURRpUmaebduvgDnAYGUmhCcQGkTKqlKVoGumDuDFgpbhcyRgpnVkuymNFsMRChKBFFyBKJNkcNqTEHKHrJdECHYMnWBjJiVqaXBEJQDjoZyjNFwumfShWeeRoqwIDfYSckglinPSgDvJlFxfLtWmiYTrhVSFRQOjdZKdQRhnmpSXVvQLadJpviByssOKIrjpysnXvXHAvRKrIcGEvsvhWEmZkGKPBcFFmmjtQJQZxZIcTVmFWHEUOEejYvOjNrbqYvPaJxbTyucvdMDohGynKrodTGyRJcuMBdFPNFsPbmEQDiXeCBwPHAGvawOvBTlXoMijuSUalSrftFWCHatRoivbehiDtLbRJUItnteqdEMNdrHsqAwgiCMOPDIVCmovSVTLxkclkmBCuVpIAMJtmkdkkHIklamiCQLqtfkhhUkSocYtbQFOJXvaPBBmFWHIvwZHvnGYeaMxdGKwQjLaVvYevVyLQbWlTmKUQlkoOrQNMXdmPbTKgfXRhdoaqQapCNpsCJXvnFXBvXQemkXOdIyCpRptiJllMSdFsIjlywGJOWbpInDLB&VERSION=1.3.0
>>
>>
>>
>> On 2020-02-01 18:33, nadiaspit wrote:
>>> Hi,
>>> I am a student of Cybersecurity Master at University of Pisa. My final
>>> project work is about a Security Test of an installation of qgis server +
>>> lizmap web client.
>>> At a first analysis, I found out that lizmap web client is vulnerable to
>>> "Buffer overflow attack"
>>> https://www.owasp.org/index.php/Buffer_overflow_attack
>>>
>>> The problem:
>>> "Potential Buffer Overflow. The script closed the connection and threw
>>> a 500
>>> Internal Server Error"
>>> The solution:
>>> "Rewrite the background program using proper return length checking. This
>>> will require a recompile of the background executable."
>>>
>>> Here you can view theĀ report
>>> <https://drive.google.com/file/d/12s-akDIr9s127kw6MSYKRp1ph29gY_u3/view?usp=sharing>
>>>
>>> :
>>>
>>> I also posted this question to Lizmap web client Github: Is Buffer
>>> Overflow
>>> vulnerability a false positive for Lizmap web client?
>>>
>>> They suggested to ask to this group.
>>> Any help would be very appreciated.
>>>
>>> Kind Regards,
>>> Nadia Spitilli
>>>
>>>
>>>
>>> --
>>> Sent from:
>>> http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
>>> _______________________________________________
>>> QGIS-Developer mailing list
>>> QGIS-Developer at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> J. Gustavo
More information about the QGIS-Developer
mailing list