Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#3903 closed defect (fixed)

Security Vulnerabilities - Possible SQL Injection using OGC filter encoding

Reported by: assefa Owned by: assefa
Priority: normal Milestone: 6.0.1 release
Component: Security/Vulnerability (Public) Version: unspecified
Severity: normal Keywords:
Cc: dmorissette, sdlime, jmckenna, aboudreault

Description (last modified by dmorissette)

This ticket is to track fixes to prevent SQL injections through OGC filter encoding (in WMS, WFS and SOS), as well as a potential SQL injection in WMS time support.

Your system may be vulnerable if it has MapServer with OGC protocols enabled, with layers connecting to an SQL RDBMS backend, either natively or via OGR.

All versions of MapServer 4.x, 5.x and 6.x are potentially vulnerable. All users are strongly encouraged to upgrade to one of the latest releases with the fixes.

Attachments (6)

ticket3903_6.0.x.patch (24.5 KB) - added by dmorissette 5 years ago.
Patch against 6.0.x branch
ticket3903_5.6.x.patch (37.2 KB) - added by dmorissette 5 years ago.
Patch against 5.6.x branch
ticket3903_5.4.x.patch (37.0 KB) - added by dmorissette 5 years ago.
Patch against 5.4.x branch
ticket3903_5.2.x.patch (36.9 KB) - added by dmorissette 5 years ago.
Patch against 5.2.x branch
ticket3903_5.0.x.patch (36.4 KB) - added by dmorissette 5 years ago.
Patch against 5.0.x branch
ticket3903_4.10.x.patch (36.4 KB) - added by dmorissette 5 years ago.
Patch agaisnt 4.10.x branch

Download all attachments as: .zip

Change History (14)

comment:1 Changed 6 years ago by dmorissette

  • Cc dmorissette added
  • Description modified (diff)
  • Milestone set to 6.0.1 release

comment:2 Changed 5 years ago by dmorissette

  • Cc sdlime jmckenna aboudreault added
  • Component changed from WFS Server to Security/Vulnerability (Private)
  • Description modified (diff)
  • Summary changed from Possible SQL Injection using filter encding to Security Vulnerabilities - Possible SQL Injection using OGC filter encoding

comment:3 Changed 5 years ago by assefa

commits: trunk is r11898 6.0 branch is r11890 5.6 branch is r11891 5.4 branch is r11892 5.2 branch is r11893 5.0 branch is r11894 4.10 branch is r11897

comment:4 Changed 5 years ago by dmorissette

Note: the revisions above also contain fixes for potentially exploitable buffer overflows in OGC Filter Encoding support.

Versions 4.10 to 5.6 were potentially vulnerable and have been fixed. 6.0.0 already contained fixes for those problems.

comment:5 Changed 5 years ago by dmorissette

Committed r11910 in SVN branch-6-0 (v6.0.1) and r11913 in SVN trunk to add missing #ifdef USE_POSTGIS in msPostGISEscapeSQLParam() to allow building without postgis support.

comment:6 Changed 5 years ago by assefa

missed postgis function in patches 5.6 (r11914), 5.4 (r11916), 5.2 (r11921), 5.0 (r11922), 4.10 (r11915)

comment:7 Changed 5 years ago by dmorissette

  • Component changed from Security/Vulnerability (Private) to Security/Vulnerability (Public)
  • Resolution set to fixed
  • Status changed from new to closed

comment:8 Changed 5 years ago by dmorissette

Changed 5 years ago by dmorissette

Patch against 6.0.x branch

Changed 5 years ago by dmorissette

Patch against 5.6.x branch

Changed 5 years ago by dmorissette

Patch against 5.4.x branch

Changed 5 years ago by dmorissette

Patch against 5.2.x branch

Changed 5 years ago by dmorissette

Patch against 5.0.x branch

Changed 5 years ago by dmorissette

Patch agaisnt 4.10.x branch

Note: See TracTickets for help on using tickets.