Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#2942 closed defect (fixed)

CGI "id" parameter not sufficiently validated, could allow for the creation of files on the file system

Reported by: sdlime Owned by: sdlime
Priority: high Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc: jmckenna, dmorissette


The CGI parameter (used for pseudo session handling) is not sufficiently validated and could be used to create files outside of intended locations. The parameter is checked for length but not for content so inserting relative paths alters where MapServer will try to create temporary files.

The fix is to apply a regex pattern to limit an id's value.


Change History (10)

comment:1 Changed 7 years ago by sdlime

  • Priority changed from normal to high
  • Status changed from new to assigned

comment:2 Changed 7 years ago by sdlime

Note that the current code also has an off-by-one error that doesn't take the null terminating character into consideration so a setting an id of 128 characters will trigger a buffer overflow. The regex check accounts for this by restricting the value to 1 less than IDSIZE as set in maptemplate.h.


comment:3 Changed 7 years ago by sdlime

Referencing CVE-2009-0839 and CVE-2009-0841...

comment:4 Changed 7 years ago by jmckenna

  • Cc jmckenna added

comment:5 Changed 7 years ago by dmorissette

  • Cc dmorissette added

comment:6 Changed 7 years ago by sdlime

  • Milestone changed from 5.2.2 release to 5.4 release

Fixed r8805 for MapServer 5.2 branch. Fixed in r8823 for 4.10 branch. Moving to 5.4 now.


comment:7 Changed 7 years ago by sdlime

  • Milestone changed from 5.4 release to 6.0 release

Fixed in 5.4 branch in r8855, moving to 6.0/trunk.


comment:8 Changed 6 years ago by sdlime

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in trunk a while ago. Closing since there are no documentation issues.


comment:9 Changed 6 years ago by sdlime

This bug references CVE-2009-1176...


comment:10 Changed 6 years ago by aboudreault

Backported to branch-5-0 in r9199

Note: See TracTickets for help on using tickets.