[Zoo-discuss] Security Advisory for MS4W users

[Jeff McKenna]

Dear ZOO monkeys, please see the message below for those running MS4W 
(or MapServer on any operating system) on public-facing servers.  thank-you.



-------- Forwarded Message --------

Hello everyone,

As the security of MS4W on your public-facing server is important, 
please take some time to review the possible security steps to enable 
for MS4W at: 
https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation You 
will notice MS4W examples, as well as instructions to use an online tool 
for testing your MS4W instance.

As stated there, setting the *MS_MAP_PATTERN* environment variable is 
strongly recommended for your server instance.

The past few weeks (and especially the past few days, which were full of 
intense regular expression testing) I have been working with Steve Lime 
closely and other MapServer steering committee members, to release the 
security advisory for MapServer: 
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html

Future MS4W releases will likely be tighter, with definitely the popular 
.exe installer setting & enabling the *MS_MAP_PATTERN* regular 
expression on-the-fly, for new installations, as well as providing a few 
default settings in the distributed Apache httpd.conf file.

MS4W security is my priority, always has been, and I hope the examples 
and expressions that I provided in the MS4W readme above, help everyone 
implement, and take some of the fear of expressions away.

Thank-you all.


--
Thank-you for using MS4W.
"MS4W: open doors as well as windows"

-jeff


-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/