Ticket #1836 (closed defect: fixed)

Opened 4 years ago

Last modified 7 months ago

Handling of IMAGEPATH and IMAGEURL could be improved

Reported by: chust@web.de Assigned to: sdlime
Priority: high Milestone:
Component: MapServer CGI Version: 4.8
Severity: normal Keywords:
Cc:

Description (Last modified by sdlime) 

Presently IMAGEPATH and IMAGEURL can not only be set via the CGI query string,
but values specified there also override any defaults specified in the map file.
In the standard configuration this allows anybody who can http the web server to
write data to nearly arbitrary places on the disk with the permissions of the
web server user. It also allows spoofing of served images.

In my humble opinion this poses a minor security risk and definitely a high risk
for annoyance of the administrator unless additional measures are taken to jail
the MapServer CGI in a chroot environment and run it under a dedicated user.

I would at least suggest that the values for IMAGEPATH and IMAGEURL given in the
map file should take precedence over CGI query parameters.

Change History

07/21/06 12:25:22 changed by sdlime

  • status changed from new to assigned.
A fair point- but I'll have to think about practical abuses. In cases like this 
it would be nice to develop a concrete example that exploits the hole. From 
that risk can be assessed.

"I would at least suggest that the values for IMAGEPATH and IMAGEURL given in 
the map file should take precedence over CGI query parameters."

Then there is no point is providing the capability... It only exists to ease 
application configuration in cases where an app might be installed in many 
environments (e.g. a demo).

Steve

07/21/09 11:33:10 changed by sdlime

  • status changed from assigned to closed.
  • resolution set to fixed.
  • description changed.

This ability has been totally removed in MapServer 5.4. These values can *only* be set within a mapfile.

Steve

07/22/09 23:42:40 changed by sdlime

Back ported to 5.0 and 5.2 branches for completeness...

Steve

07/22/09 23:50:03 changed by sdlime

Also patched 4.10... Should have removed in 4.8, but I was a lazy ass.

Steve