Ticket #2256 (closed defect: fixed)

Opened 11 months ago

Last modified 11 months ago

XSS vulnerabilities in mapserv CGI

Reported by: dmorissette Assigned to: dmorissette
Priority: normal Milestone: 5.0 release
Component: MapServer C Library Version: svn-trunk (development)
Severity: normal Keywords:
Cc:

Description (Last modified by dmorissette)

Chris Schmidt has reported a XSS vulnerability in the mapserv CGI and provided a patch for it.

Another possible (but harder to exploit) XSS vulnerability has also been found in the template processing code.

This bug is to track the fix of those two vulnerabilities. The fixes will be released in MapServer 4.10.3 and 5.0.0-beta5. Older releases are also vulnerable (not sure how far back) but we won't produce new releases for them, instead instructions to patch the source will be provided in this ticket.

Users of MapServer are strongly advised to upgrade to the latest release as soon as it's available.

Attachments

ms-bug-2256-4.8.patch (2.4 kB) - added by dmorissette on 08/22/07 14:34:10.
The diff against MapServer 4.8 that can be used to patch older releases

Change History

08/22/07 09:34:14 changed by dmorissette

  • description changed.

08/22/07 14:28:31 changed by dmorissette

The fixes have been committed to SVN for 4.10.3 (r6679 + r6680) and 5.0.0-beta5 (r6681).

08/22/07 14:32:58 changed by dmorissette

  • status changed from new to assigned.

I have verified that the vulnerabilities exist in MapServer 4.8, 4.6 and 4.4. I could not easily build 4.2 and older on my system so I didn't test them.

Even if we are not going to produce more releases of those branches, I have committed the fixes in SVN anyway for each branch:

08/22/07 14:34:10 changed by dmorissette

  • attachment ms-bug-2256-4.8.patch added.

The diff against MapServer 4.8 that can be used to patch older releases

08/22/07 14:38:49 changed by dmorissette

  • status changed from assigned to closed.
  • resolution set to fixed.

The attached patch (above) can be used to patch your MapServer 4.8 or older source tree locally (using "patch -i ms-bug-2256.patch" on Linux). The patch is know to work for releases 4.4 to 4.8 and may work for older releases but it has not been tested with anything older than 4.4.

Closing as fixed

08/22/07 17:47:31 changed by dmorissette

  • description changed.