Ticket #3485 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Disable insecure mapserv CGI command-line debug args

Reported by: dmorissette Owned by: dmorissette
Priority: normal Milestone: 5.6.4 release
Component: MapServer C Library Version: 5.6
Severity: normal Keywords:
Cc: sdlime, aboudreault

Description

As part of a security audit of MapServer 5.6 it was found that some of the mapserv CGI command-line debug arguments constitute a security risk that could potentially be exploited.

I will not disclose any of the details here, but we should take actions to avoid command-line args in CGI programs.

This will not affect functionality for regular mapserv CGI users... only for developers that used those command-line args to debug and test the software.

Change History

Changed 4 years ago by dmorissette

  • cc aboudreault added
  • status changed from new to assigned

To create the smallest possible amount of disruption in point releases, for 5.6.4 we will simply disable all mapserv command-line debug args by default, except for "-v" which is useful to get mapserv version on an installed system, as well as "-nh" and "QUERY_STRING=..." which carry little risk and/or are used by msautotests and in some docs.

We should revisit this in MapServer 6.0 and possibly find a better mechanism to handle these debugging hooks that do not involve command-line args.

The disabled code will be enclosed inside #ifdef MS_ENABLE_CGI_CL_DEBUG_ARGS. This means that -DMS_ENABLE_CGI_CL_DEBUG_ARGS must be explicitly set at compile time to re-enable those debug args (by devs who know what they are doing and understand the security implications). A --enable-cgi-cl-debug-args option will also be added to the configure script to facilitate setting this flag. Once again, this flag enables some potentially insecure command-line args and should not be enabled on production servers or by people who do not understand the security implications.

Fix for this committed in SVN branch-5-6 r10306 (will be in 5.6.4)

I will also backport the fix to older releases.

Changed 4 years ago by dmorissette

  • status changed from assigned to closed
  • resolution set to fixed

Backported fix to SVN branch-5-4 (r10314), branch-5-2 (r10315), branch-5-0 (r10316) and branch-4-10 (r10317).

Also created ticket #3486 about defining a better debugging/testing mechanism for developers to use at the command line in MapServer 6.0

Closing.

Changed 4 years ago by dmorissette

Applied fix to SVN trunk r10319

Note: See TracTickets for help on using tickets.