wiki:MapGuideRfc136

MapGuide RFC 136 - Remove EXECUTESQLQUERY from the mapagent

This page contains a change request (RFC) for the MapGuide Open Source project. More MapGuide RFCs can be found on the RFCs page.

Status

RFC Template Version(1.0)
Submission Date17 Jun 2013
Last Modified8 Jul 2013
AuthorJackie Ng
RFC Statusadopted
Implementation Statusimplemented
Proposed Milestone2.6, 2.5.1, 2.4.1
Assigned PSC guide(s)(when determined)
Voting History(vote date)
+1Jackie,Zac,Bruce,Trevor
+0
-0
-1
no voteTom,Bob,Paul,Haris

Overview

This RFC proposes to remove support for the EXECUTESQLQUERY operation from the mapagent HTTP interface.

Motivation

The EXECUTESQLQUERY operation in its current form poses a dangerous security risk due to the lack of any safeguards in the MapGuide or FDO APIs to ensure the SQL being executed is only a SELECT query and not INSERT/UPDATE/DELETE or DML like DROP/ALTER TABLE/ALTER COLUMN

The Anonymous MapGuide user account has unfettered access to this operation and given knowledge of the repository layout (also accessible by the Anonymous account) and the Feature Source structure (also accessible by the Anonymous account) a malicious Anonymous MapGuide session has enough knowledge to cause serious damage to any Feature Source whose FDO provider supports SQL commands.

RDBMS-based FDO providers can mitigate this through the use of security options provided by the underlying DBMS (eg. A DBMS user account with read-only table access). Using credentials for a sufficiently locked down DBMS user account is sufficient to stop such an attack.

However, FDO providers like SQLite do not have any notion of security at the DBMS level and will still be vulnerable to this type of attack.

The risks to having this operation in the mapagent interface outweigh the benefits. For the purposes of query feature data over http, the SELECTFEATURES and SELECTAGGREGATES operations already satisfy this requirement.

This vulnerability affects any public facing MapGuide installation that serves spatial data from SQLite or RDBMS-based feature sources with inadequate DBMS-level security restrictions in place.

Proposed Solution

Removing the EXECUTESQLQUERY from the mapagent is enough to address this security risk.

Access to the MgFeatureService?.ExecuteSqlQuery?() API is still presumed to be safe API to use given proper web application security practices employed on behalf of the MapGuide application developer to prevent common attack vectors like SQL injection.

Given the severity of this issue, this RFC is targeted for not just the 2.6 milestone, but also for 2.5.1 and 2.4.1 point release milestones as well. If given enough demand, patched MgHttpHandler?.dll files for 2.2 will also be made available.

For older releases of MapGuide outside the scope of this RFC, administrators can apply request filtering at the IIS/Apache level to block this type of request [discussion required here].

For Apache:

TBD. Discussion required.

For IIS:

TBD. Discussion required.

Hotfix dlls are available here. These dlls remove support for the given operation from the mapagent. To apply these hotfixes, shut down your IIS/Apache web server, then overwrite all installed copies of MgHttpHandler?.dll with the copy included in the matching zip file below:

Restart your web server afterwards and your mapagent will no longer support this installation.

For Linux, apply one of the patches below (2.4 patch also works for 2.5) and build a new copy of libMgHttpHandler.so

Implications

This RFC will break applications that use this mapagent API. Developers reliant on this API can implement a replacement using the Web Extensions API, but should be mindful about sanitizing and validating the input SQL that gets passed down to MgFeatureService?.ExecuteSqlQuery?()

Test Plan

Verify EXECUTESQLQUERY requests now throws MgInvalidOperationException?

Funding / Resources

Community

Last modified 4 years ago Last modified on Jul 8, 2013 2:44:51 AM

Attachments (2)

Download all attachments as: .zip