XSS vulnerability on the 'layer' parameter of WMTS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

XSS vulnerability on the 'layer' parameter of WMTS

besteseymen
Hello,

I'm a student working on a school project that utilises mapserver 6.2 installed from rpm on RedHat OS. My advisors are very concerned about the security of the system. From the security reports, we obtained this XSS vulnerability on the 'layer' parameter of WMTS service. 

http://example.com/mapcache/wmts/?SERVICE=WMTS&REQUEST=GetTile&VERSION=1.0.0&LAYER=--%3E%3ca%20xml

ns%3aa%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3e%3ca%3abody%20onload%3d%27alert(1111)%27%2f

%3e%3c%2fa%3e&STYLE=default&TILEMATRIXSET=epsg3857&TILEMATRIX=6&TILEROW=23&TILECOL=38&FORMAT= 

I wonder if the newer versions of mapserver have this issue or is there any way to solve it?
Any help would be appreciated. 

Beste

_______________________________________________
mapserver-users mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapserver-users
Reply | Threaded
Open this post in threaded view
|

Re: XSS vulnerability on the 'layer' parameter of WMTS

jmckenna
Administrator
On 2017-08-06 8:47 AM, Even Rouault wrote:

> Beste / devs,
>
> adding the development list in CC.
>
> I can confirm the issue on latest mapcache master. The vulnerabililty is the
> injection of a parameter value between XML comment markers <-- --> used for
> the error message. When this parameter value starts with --> it ends up the
> comment part and the rest of the value is then parsed as non-comment XML.
> By skimming through the code it appears there are several similar instances in
> this protocol and others as well.
>
> I can see 2 options to fix this:
> - the safer one I think: do not return the invalid parameter value in the
> error message, but just the parameter name. So returning "Invalid layer name"
> instead of "Invalid layer {value_of_the_LAYER_parameter}". The important
> information is the name of the erroneous parameter, not its value (the user
> can figure it that himself)

I think users need the {value_of_the_LAYER_parameter}  Without that, it
is impossible to debug with a large mapfile (with or without MapCache).

> - a more risky one: sanitize the value that is going to be put inside XML
> comments <--  --> . So that means at least removing --> sequences, but perhaps
> other things too ?
>
> Even
>

-jeff





--
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/
_______________________________________________
mapserver-users mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapserver-users