Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#4087 closed defect (fixed)

WFS GetFeature security issue

Reported by: sbrunner Owned by: aboudreault
Priority: highest Milestone:
Component: Security/Vulnerability (Private) Version: svn-trunk (development)
Severity: critical Keywords: security
Cc: sdlime, dmorissette, assefa

Description

Hello,

I use the revision r12270 of mapserver, and I have this issue:

I use this layer definition: 

LAYER
  NAME "grundstueck"
  TYPE POLYGON
  TEMPLATE fooOnlyForWMSGetFeatureInfo
  EXTENT 2590000 1240000 2645000 1275000
  CONNECTIONTYPE postgis
  PROCESSING "CLOSE_CONNECTION=DEFER"
  CONNECTION "..."
  DATA "geom FROM (SELECT * FROM av_ls.v_grundstueck) AS foo USING UNIQUE gs_id USING srid=2056"
  METADATA
    "wms_title" "Grundstueck"
    "wms_srs" "epsg:2056 epsg:21781"
    "gml_include_items" "all"
    "wfs_enable_request" "*"
  END
  STATUS ON
...

on psql: \d av_ls.v_grundstueck => 

              View "av_ls.v_grundstueck"
      Column      |         Type          | Modifiers
------------------+-----------------------+-----------
 gs_id            | integer               |
 lsn_oid          | double precision      |
 nummer           | character varying(12) |
 gueltigkeit      | character(20)         |
 art              | character(50)         |
 gemeinde_id_bfs  | integer               |
 meta_id          | integer               |
 flaechenmass     | integer               |
 nummer_m_deko    | character varying(14) |
 nbident          | character varying(12) |
 vollstaendigkeit | character(15)         |
 datenherr        | character varying(80) |
 mut_nummer       | character varying(12) |
 geom             | geometry              |

.../mapserv?TYPENAME=grundstueck&REQUEST=DescribeFeatureType&SERVICE=WFS&VERSION=1.0.0 => 

<schema targetNamespace="http://mapserver.gis.umn.edu/mapserver" xmlns:ms="http://mapserver.gis.umn.edu/mapserver" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:gml="http://www.opengis.net/gml" elementFormDefault="qualified" version="0.1">
<import namespace="http://www.opengis.net/gml" schemaLocation="http://schemas.opengis.net/gml/2.1.2/feature.xsd"></import>
<element name="grundstueck" type="ms:grundstueckType" substitutionGroup="gml:_Feature"></element>
<complexType name="grundstueckType">
<complexContent>
<extension base="gml:AbstractFeatureType">
<sequence>
<element name="msGeometry" type="gml:GeometryPropertyType" minOccurs="0" maxOccurs="1"></element>
<element name="gs_id" type="string"></element>
<element name="lsn_oid" type="string"></element>
<element name="nummer" type="string"></element>
<element name="gueltigkeit" type="string"></element>
<element name="art" type="string"></element>
<element name="gemeinde_id_bfs" type="string"></element>
<element name="meta_id" type="string"></element>
<element name="flaechenmass" type="string"></element>
<element name="nummer_m_deko" type="string"></element>
<element name="nbident" type="string"></element>
<element name="vollstaendigkeit" type="string"></element>
<element name="datenherr" type="string"></element>
<element name="mut_nummer" type="string"></element>
</sequence>
</extension>
</complexContent>
</complexType>
</schema>

GetFeature request: 

<wfs:GetFeature xmlns:wfs="http://www.opengis.net/wfs" service="WFS" version="1.1.0" xsi:schemaLocation="http://www.opengis.net/wfs http://schemas.opengis.net/wfs/1.1.0/wfs.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<wfs:Query typeName="feature:grundstueck" srsName="EPSG:2056" xmlns:feature="http://mapserver.gis.umn.edu/mapserver">
<ogc:Filter xmlns:ogc="http://www.opengis.net/ogc">
<ogc:PropertyIsEqualTo matchCase="false">
<ogc:PropertyName>nummer</ogc:PropertyName>
<ogc:Literal>'10'</ogc:Literal>
</ogc:PropertyIsEqualTo>
</ogc:Filter>
</wfs:Query>
</wfs:GetFeature>

=> 

<ows:ExceptionReport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.1.0" xmlns:ows="http://www.opengis.net/ows" language="en-US" xsi:schemaLocation="http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd">
<ows:Exception locator="mapserv" exceptionCode="NoApplicableCode">
<ows:ExceptionText>msWFSGetFeature(): WFS server error. FLTApplyFilterToLayer() failed msPostGISLayerWhichShapes(): Query error. Error (ERROR: syntax error at or near "10" LINE 1: ...240000))',2056) and (( (lower("nummer") = lower(''10'') ) )) ^ ) executing query: select "gs_id","lsn_oid","nummer","gueltigkeit","art","gemeinde_id_bfs","meta_id","flaechenmass","nummer_m_deko","nbident","vollstaendigkeit","datenherr","mut_nummer",encode(ST_AsBinary(ST_Force_2D("geom"),'NDR'),'hex') as geom,"gs_id" from (SELECT * FROM av_ls.v_grundstueck) AS foo where geom &amp;&amp; GeomFromText('POLYGON((2590000 1240000,2590000 1275000,2645000 1275000,2645000 1240000,2590000 1240000))',2056) and (( (lower("nummer") = lower(''10'') ) ))</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>

The quote isn't escape than for me it's a security issue ...

Additional issue but less important: 

<wfs:GetFeature xmlns:wfs="http://www.opengis.net/wfs" service="WFS" version="1.1.0" xsi:schemaLocation="http://www.opengis.net/wfs http://schemas.opengis.net/wfs/1.1.0/wfs.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<wfs:Query typeName="feature:grundstueck" srsName="EPSG:2056" xmlns:feature="http://mapserver.gis.umn.edu/mapserver">
<ogc:Filter xmlns:ogc="http://www.opengis.net/ogc">
<ogc:PropertyIsEqualTo matchCase="false">
<ogc:PropertyName>nummer</ogc:PropertyName>
<ogc:Literal>10</ogc:Literal>
</ogc:PropertyIsEqualTo>
</ogc:Filter>
</wfs:Query>
</wfs:GetFeature>

=> 

<ows:ExceptionReport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.1.0" xmlns:ows="http://www.opengis.net/ows" language="en-US" xsi:schemaLocation="http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd">
<ows:Exception locator="mapserv" exceptionCode="NoApplicableCode">
<ows:ExceptionText>msWFSGetFeature(): WFS server error. FLTApplyFilterToLayer() failed msPostGISLayerWhichShapes(): Query error. Error (ERROR: operator does not exist: character varying = integer LINE 1: ...00 1240000,2590000 1240000))',2056) and (( ("nummer"= 10) )) ^ HINT: No operator matches the given name and argument type(s). You might need to add explicit type casts. ) executing query: select "gs_id","lsn_oid","nummer","gueltigkeit","art","gemeinde_id_bfs","meta_id","flaechenmass","nummer_m_deko","nbident","vollstaendigkeit","datenherr","mut_nummer",encode(ST_AsBinary(ST_Force_2D("geom"),'NDR'),'hex') as geom,"gs_id" from (SELECT * FROM av_ls.v_grundstueck) AS foo where geom &amp;&amp; GeomFromText('POLYGON((2590000 1240000,2590000 1275000,2645000 1275000,2645000 1240000,2590000 1240000))',2056) and (( ("nummer"= 10) ))</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>

When we query a string with only digit it query it as numbers ...

Attachments (4)

4087.patch (579 bytes ) - added by sbrunner 12 years ago.
patch to fix the security issue
test.map (1.7 KB ) - added by sbrunner 12 years ago.
mapfile used to test
test-wfs.html (21.5 KB ) - added by sbrunner 12 years ago.
html file with test cases
4087_with_msFree.patch (682 bytes ) - added by rouault 12 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 by sdlime, 12 years ago

Cc: sdlime dmorissette added
Component: MapServer C LibraryWFS Server
Owner: changed from sdlime to mapserverbugs

by sbrunner, 12 years ago

Attachment: 4087.patch added

patch to fix the security issue

by sbrunner, 12 years ago

Attachment: test.map added

mapfile used to test

by sbrunner, 12 years ago

Attachment: test-wfs.html added

html file with test cases

comment:2 by sbrunner, 12 years ago

Hello,

I attach a patch for the security issue, For the other issue it's just because I miss this metadata: "gml_types" "auto"

CU Stéphane

comment:3 by rouault, 12 years ago

I've updated the patch, so that it doesn't leak memory.

by rouault, 12 years ago

Attachment: 4087_with_msFree.patch added

comment:4 by sbrunner, 12 years ago

Thank-you rouault your right ;-)

comment:5 by aboudreault, 12 years ago

Component: WFS ServerSecurity/Vulnerability (Private)
Owner: changed from mapserverbugs to aboudreault

comment:6 by sdlime, 12 years ago

Worthy of a 6.0.2 and 5.6.8? Same process as before I take it. Argh...

Steve

comment:7 by aboudreault, 12 years ago

Cc: assefa added

comment:8 by sdlime, 12 years ago

Bump... Need to figure out a plan with this. I take it that this isn't "as" exploitable as it might have been before the 6.0.1/5.6.7/... releases but that there still are risks. Am I wrong?

Steve

comment:9 by dmorissette, 12 years ago

Alan, can you please look into this to be included in a 6.0.2?

The encoding may be sufficient to fix the issue, but it's a bit embarassing to be leaking the full SQL query. Should we not change the code to msDebug() the SQL query, and msSetError() only a more generic error message?

comment:10 by aboudreault, 12 years ago

Fixed and committed in r13031 and backported in branch 6.0 in r13030.

I'm going to modify the postgis.c file to not show the SQL QUERY in any msSetError, only in msDebug.

comment:11 by aboudreault, 12 years ago

Resolution: fixed
Status: newclosed

Can be close, error report have been fixed in trunk and branch 6.0.

comment:12 by sdlime, 12 years ago

Should this be back ported to 5.6 (or at least patches provided_? I figure lot's of folks have not taken the 6.x plunge.

Steve

comment:13 by aboudreault, 12 years ago

Backported in branch 5.6 in r13071.

Note: See TracTickets for help on using tickets.