FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

Brent Fraser

Hi All,

  I wonder if we should review our GeoMoose Examples with this security issue in mind.  Comments?

Best Regards,
Brent Fraser



From: Steve Lime <[hidden email]>
Sent: 3/30/21 12:25 PM
To: MapServer Dev Mailing List <[hidden email]>, Mapserver <[hidden email]>
Subject: [mapserver-users] Security Advisory - Limiting Mapfile Access

Hi all: This is an important reminder that, as part of a secure deployment, it is important to limit MapServer CGI access to mapfiles. The MapServer CGI has long supported the use of environment variables as a primary mechanism to do this. If you haven't implemented these controls then that constitutes undue risk that is easily mitigated and we strongly encourage you to do so as soon as possible. It's also a great time to review those settings if you already have them in place as we've recently updated regex examples related to MS_MAP_PATTERN to limit path traversal.

 

Relevant documentation can be found at:

  • https://mapserver.org/optimization/limit_mapfile_access.html
  • https://mapserver.org/environment_variables.html

 

Please don't hesitate to reach out with questions.

 

--Steve



_______________________________________________
mapserver-users mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapserver-users

_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|

Re: FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

Dan Little-2
We could add a pattern but this really comes down to packaging and MapServer installation.

I am 100% willing to support packagers if we can do some small things in our CI to make them ready to go.

On Wed, Mar 31, 2021 at 9:27 AM Brent Fraser <[hidden email]> wrote:

Hi All,

  I wonder if we should review our GeoMoose Examples with this security issue in mind.  Comments?

Best Regards,
Brent Fraser



From: Steve Lime <[hidden email]>
Sent: 3/30/21 12:25 PM
To: MapServer Dev Mailing List <[hidden email]>, Mapserver <[hidden email]>
Subject: [mapserver-users] Security Advisory - Limiting Mapfile Access

Hi all: This is an important reminder that, as part of a secure deployment, it is important to limit MapServer CGI access to mapfiles. The MapServer CGI has long supported the use of environment variables as a primary mechanism to do this. If you haven't implemented these controls then that constitutes undue risk that is easily mitigated and we strongly encourage you to do so as soon as possible. It's also a great time to review those settings if you already have them in place as we've recently updated regex examples related to MS_MAP_PATTERN to limit path traversal.

 

Relevant documentation can be found at:

 

Please don't hesitate to reach out with questions.

 

--Steve


_______________________________________________
mapserver-users mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapserver-users
_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc

_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc
Reply | Threaded
Open this post in threaded view
|

Re: FWD: [mapserver-users] Security Advisory - Limiting Mapfile Access

jmckenna
Administrator
Hi all, I hope my -users response was well received.  Not easy, and
exhausting subject, yet important.

I think maybe the GeoMoose-MS4W package (specifically in the .conf files
in /ms4w/httpd.d/gm*.conf) could link to the MS4W security-steps
document now, and even include commented-out examples.

But then it is getting quite overlapping, with the main MS4W installer
(and likely the big upcoming MapServer 8.0, containing possibly even
more additional security steps, possibly).

So right now at this exact moment I side with more making sure the
documentation now is excellent, and then adapting (fast) to the upcoming
8.0 changes that are most likely coming.  (that's how I handled this
thinking these past few weeks, focus first on existing MapServer
installations on all platforms, make a good announcement, get it visible
and out to all communities, and then make sure MS4W users have specific
recommended steps AND recommended testing steps, to enable on their
existing servers).

Maybe others feel differently on how to handle all this, but at least
now I hope you can understand my logic, right or wrong.

Phew, exhausting ha.

Hope my explaining helps.

-jeff



On 2021-04-01 8:39 a.m., Dan Little wrote:

> We could add a pattern but this really comes down to packaging and
> MapServer installation.
>
> I am 100% willing to support packagers if we can do some small things in
> our CI to make them ready to go.
>
> On Wed, Mar 31, 2021 at 9:27 AM Brent Fraser <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>     Hi All,
>
>        I wonder if we should review our GeoMoose Examples with this
>     security issue in mind.  Comments?
>
>     Best Regards,
>     Brent Fraser
>
>
>     ------------------------------------------------------------------------
>     *From*: Steve Lime <[hidden email] <mailto:[hidden email]>>
>     *Sent*: 3/30/21 12:25 PM
>     *To*: MapServer Dev Mailing List <[hidden email]
>     <mailto:[hidden email]>>, Mapserver
>     <[hidden email]
>     <mailto:[hidden email]>>
>     *Subject*: [mapserver-users] Security Advisory - Limiting Mapfile Access
>
>     Hi all: This is an important reminder that, as part of a secure
>     deployment, it is important to limit MapServer CGI access to
>     mapfiles. The MapServer CGI has long supported the use of
>     environment variables as a primary mechanism to do this. If you
>     haven't implemented these controls then that constitutes undue risk
>     that is easily mitigated and we strongly encourage you to do so as
>     soon as possible. It's also a great time to review those settings if
>     you already have them in place as we've recently updated regex
>     examples related to MS_MAP_PATTERN to limit path traversal.
>
>     Relevant documentation can be found at:
>
>       * https://mapserver.org/optimization/limit_mapfile_access.html
>         <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Foptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
>       * https://mapserver.org/environment_variables.html
>         <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fenvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state.mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
>
>     Please don't hesitate to reach out with questions.
>
>     --Steve
>
>
>     _______________________________________________
>     mapserver-users mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.osgeo.org/mailman/listinfo/mapserver-users
>     <https://lists.osgeo.org/mailman/listinfo/mapserver-users>
>     _______________________________________________
>     geomoose-psc mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>     <https://lists.osgeo.org/mailman/listinfo/geomoose-psc>
>
>
> _______________________________________________
> geomoose-psc mailing list
> [hidden email]
> https://lists.osgeo.org/mailman/listinfo/geomoose-psc
>


--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/
_______________________________________________
geomoose-psc mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geomoose-psc