Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#2256 closed defect (fixed)

XSS vulnerabilities in mapserv CGI

Reported by: dmorissette Owned by: dmorissette
Priority: normal Milestone: 5.0 release
Component: MapServer C Library Version: svn-trunk (development)
Severity: normal Keywords:
Cc:

Description (last modified by dmorissette)

Chris Schmidt has reported a XSS vulnerability in the mapserv CGI and provided a patch for it.

Another possible (but harder to exploit) XSS vulnerability has also been found in the template processing code.

This bug is to track the fix of those two vulnerabilities. The fixes will be released in MapServer 4.10.3 and 5.0.0-beta5. Older releases are also vulnerable (not sure how far back) but we won't produce new releases for them, instead instructions to patch the source will be provided in this ticket.

Users of MapServer are strongly advised to upgrade to the latest release as soon as it's available.

Attachments (1)

ms-bug-2256-4.8.patch (2.4 KB) - added by dmorissette 11 years ago.
The diff against MapServer 4.8 that can be used to patch older releases

Download all attachments as: .zip

Change History (6)

comment:1 Changed 11 years ago by dmorissette

Description: modified (diff)

comment:2 Changed 11 years ago by dmorissette

The fixes have been committed to SVN for 4.10.3 (r6679 + r6680) and 5.0.0-beta5 (r6681).

comment:3 Changed 11 years ago by dmorissette

Status: newassigned

I have verified that the vulnerabilities exist in MapServer 4.8, 4.6 and 4.4. I could not easily build 4.2 and older on my system so I didn't test them.

Even if we are not going to produce more releases of those branches, I have committed the fixes in SVN anyway for each branch:

Changed 11 years ago by dmorissette

Attachment: ms-bug-2256-4.8.patch added

The diff against MapServer 4.8 that can be used to patch older releases

comment:4 Changed 11 years ago by dmorissette

Resolution: fixed
Status: assignedclosed

The attached patch (above) can be used to patch your MapServer 4.8 or older source tree locally (using "patch -i ms-bug-2256.patch" on Linux). The patch is know to work for releases 4.4 to 4.8 and may work for older releases but it has not been tested with anything older than 4.4.

Closing as fixed

comment:5 Changed 11 years ago by dmorissette

Description: modified (diff)
Note: See TracTickets for help on using tickets.