Security Advisory for MS4W users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Advisory for MS4W users

jmckenna
Administrator
Dear Mapbender community, please see the message below for those running
MS4W (or MapServer on any operating system) on public-facing servers.
thank-you.



-------- Forwarded Message --------

Hello everyone,

As the security of MS4W on your public-facing server is important,
please take some time to review the possible security steps to enable
for MS4W at:
https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation You
will notice MS4W examples, as well as instructions to use an online tool
for testing your MS4W instance.

As stated there, setting the *MS_MAP_PATTERN* environment variable is
strongly recommended for your server instance.

The past few weeks (and especially the past few days, which were full of
intense regular expression testing) I have been working with Steve Lime
closely and other MapServer steering committee members, to release the
security advisory for MapServer:
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html

Future MS4W releases will likely be tighter, with definitely the popular
.exe installer setting & enabling the *MS_MAP_PATTERN* regular
expression on-the-fly, for new installations, as well as providing a few
default settings in the distributed Apache httpd.conf file.

MS4W security is my priority, always has been, and I hope the examples
and expressions that I provided in the MS4W readme above, help everyone
implement, and take some of the fear of expressions away.

Thank-you all.


--
Thank-you for using MS4W.
"MS4W: open doors as well as windows"

-jeff


--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/






_______________________________________________
Mapbender_users mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|

Re: Security Advisory for MS4W users

Astrid Emde (WhereGroup)
Hello Jeff,

thanks for sharing the information. The documentation of the steps is
very good!

Astrid

Am 2021-03-31 22:04, schrieb Jeff McKenna:

> Dear Mapbender community, please see the message below for those
> running MS4W (or MapServer on any operating system) on public-facing
> servers. thank-you.
>
>
>
> -------- Forwarded Message --------
>
> Hello everyone,
>
> As the security of MS4W on your public-facing server is important,
> please take some time to review the possible security steps to enable
> for MS4W at:
> https://ms4w.com/README_INSTALL.html#securing-your-ms4w-installation
> You will notice MS4W examples, as well as instructions to use an
> online tool for testing your MS4W instance.
>
> As stated there, setting the *MS_MAP_PATTERN* environment variable is
> strongly recommended for your server instance.
>
> The past few weeks (and especially the past few days, which were full
> of intense regular expression testing) I have been working with Steve
> Lime closely and other MapServer steering committee members, to
> release the security advisory for MapServer:
> https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html
>
> Future MS4W releases will likely be tighter, with definitely the
> popular .exe installer setting & enabling the *MS_MAP_PATTERN* regular
> expression on-the-fly, for new installations, as well as providing a
> few default settings in the distributed Apache httpd.conf file.
>
> MS4W security is my priority, always has been, and I hope the examples
> and expressions that I provided in the MS4W readme above, help
> everyone implement, and take some of the fear of expressions away.
>
> Thank-you all.
>
>
> --
> Thank-you for using MS4W.
> "MS4W: open doors as well as windows"
>
> -jeff
>
>
> --
> Jeff McKenna
> GatewayGeo: Developers of MS4W, MapServer Consulting and Training
> co-founder of FOSS4G
> http://gatewaygeo.com/
>
>
>
>
>
>
> _______________________________________________
> Mapbender_users mailing list
> [hidden email]
> https://lists.osgeo.org/mailman/listinfo/mapbender_users
--
Mit freundlichen Grüßen

Astrid Emde
GIS-Consultant

----------------------------------------------------
  Aufwind durch Wissen!
  Web-Seminare und Online-Schulungen
  bei der www.foss-academy.com
----------------------------------------------------
   Astrid Emde
   WhereGroup GmbH
   Eifelstraße 7
   53119 Bonn
   Germany

   Fon: +49(0)228 90 90 38 - 22
   Fax: +49(0)228 90 90 38 - 11

   [hidden email]
   www.wheregroup.com

   Meinen PGP Public-Key können Sie unter pgp.mit.edu herunterladen:
   
https://keys.openpgp.org/vks/v1/by-fingerprint/01F8152D36FC07C25EADDE86C5084ACC1C287CCB
   Signierte und/oder verschlüsselte Nachrichten sind sehr willkommen

   Folgen Sie der WhereGroup auf twitter:
   http://twitter.com/WhereGroup_com

   Geschäftsführer:
   Olaf Knopp, Peter Stamm
   Amtsgericht Bonn, HRB 9885
-------------------------------
_______________________________________________
Mapbender_users mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapbender_users

0x1C287CCB.asc (1K) Download Attachment
signature.asc (235 bytes) Download Attachment