#4087 closed defect (fixed)
WFS GetFeature security issue
Reported by: | sbrunner | Owned by: | aboudreault |
---|---|---|---|
Priority: | highest | Milestone: | |
Component: | Security/Vulnerability (Private) | Version: | svn-trunk (development) |
Severity: | critical | Keywords: | security |
Cc: | sdlime, dmorissette, assefa |
Description
Hello,
I use the revision r12270 of mapserver, and I have this issue:
I use this layer definition:
LAYER NAME "grundstueck" TYPE POLYGON TEMPLATE fooOnlyForWMSGetFeatureInfo EXTENT 2590000 1240000 2645000 1275000 CONNECTIONTYPE postgis PROCESSING "CLOSE_CONNECTION=DEFER" CONNECTION "..." DATA "geom FROM (SELECT * FROM av_ls.v_grundstueck) AS foo USING UNIQUE gs_id USING srid=2056" METADATA "wms_title" "Grundstueck" "wms_srs" "epsg:2056 epsg:21781" "gml_include_items" "all" "wfs_enable_request" "*" END STATUS ON ...
on psql: \d av_ls.v_grundstueck =>
View "av_ls.v_grundstueck" Column | Type | Modifiers ------------------+-----------------------+----------- gs_id | integer | lsn_oid | double precision | nummer | character varying(12) | gueltigkeit | character(20) | art | character(50) | gemeinde_id_bfs | integer | meta_id | integer | flaechenmass | integer | nummer_m_deko | character varying(14) | nbident | character varying(12) | vollstaendigkeit | character(15) | datenherr | character varying(80) | mut_nummer | character varying(12) | geom | geometry |
.../mapserv?TYPENAME=grundstueck&REQUEST=DescribeFeatureType&SERVICE=WFS&VERSION=1.0.0 =>
<schema targetNamespace="http://mapserver.gis.umn.edu/mapserver" xmlns:ms="http://mapserver.gis.umn.edu/mapserver" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:gml="http://www.opengis.net/gml" elementFormDefault="qualified" version="0.1"> <import namespace="http://www.opengis.net/gml" schemaLocation="http://schemas.opengis.net/gml/2.1.2/feature.xsd"></import> <element name="grundstueck" type="ms:grundstueckType" substitutionGroup="gml:_Feature"></element> <complexType name="grundstueckType"> <complexContent> <extension base="gml:AbstractFeatureType"> <sequence> <element name="msGeometry" type="gml:GeometryPropertyType" minOccurs="0" maxOccurs="1"></element> <element name="gs_id" type="string"></element> <element name="lsn_oid" type="string"></element> <element name="nummer" type="string"></element> <element name="gueltigkeit" type="string"></element> <element name="art" type="string"></element> <element name="gemeinde_id_bfs" type="string"></element> <element name="meta_id" type="string"></element> <element name="flaechenmass" type="string"></element> <element name="nummer_m_deko" type="string"></element> <element name="nbident" type="string"></element> <element name="vollstaendigkeit" type="string"></element> <element name="datenherr" type="string"></element> <element name="mut_nummer" type="string"></element> </sequence> </extension> </complexContent> </complexType> </schema>
GetFeature request:
<wfs:GetFeature xmlns:wfs="http://www.opengis.net/wfs" service="WFS" version="1.1.0" xsi:schemaLocation="http://www.opengis.net/wfs http://schemas.opengis.net/wfs/1.1.0/wfs.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <wfs:Query typeName="feature:grundstueck" srsName="EPSG:2056" xmlns:feature="http://mapserver.gis.umn.edu/mapserver"> <ogc:Filter xmlns:ogc="http://www.opengis.net/ogc"> <ogc:PropertyIsEqualTo matchCase="false"> <ogc:PropertyName>nummer</ogc:PropertyName> <ogc:Literal>'10'</ogc:Literal> </ogc:PropertyIsEqualTo> </ogc:Filter> </wfs:Query> </wfs:GetFeature>
=>
<ows:ExceptionReport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.1.0" xmlns:ows="http://www.opengis.net/ows" language="en-US" xsi:schemaLocation="http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd"> <ows:Exception locator="mapserv" exceptionCode="NoApplicableCode"> <ows:ExceptionText>msWFSGetFeature(): WFS server error. FLTApplyFilterToLayer() failed msPostGISLayerWhichShapes(): Query error. Error (ERROR: syntax error at or near "10" LINE 1: ...240000))',2056) and (( (lower("nummer") = lower(''10'') ) )) ^ ) executing query: select "gs_id","lsn_oid","nummer","gueltigkeit","art","gemeinde_id_bfs","meta_id","flaechenmass","nummer_m_deko","nbident","vollstaendigkeit","datenherr","mut_nummer",encode(ST_AsBinary(ST_Force_2D("geom"),'NDR'),'hex') as geom,"gs_id" from (SELECT * FROM av_ls.v_grundstueck) AS foo where geom && GeomFromText('POLYGON((2590000 1240000,2590000 1275000,2645000 1275000,2645000 1240000,2590000 1240000))',2056) and (( (lower("nummer") = lower(''10'') ) ))</ows:ExceptionText> </ows:Exception> </ows:ExceptionReport>
The quote isn't escape than for me it's a security issue ...
Additional issue but less important:
<wfs:GetFeature xmlns:wfs="http://www.opengis.net/wfs" service="WFS" version="1.1.0" xsi:schemaLocation="http://www.opengis.net/wfs http://schemas.opengis.net/wfs/1.1.0/wfs.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <wfs:Query typeName="feature:grundstueck" srsName="EPSG:2056" xmlns:feature="http://mapserver.gis.umn.edu/mapserver"> <ogc:Filter xmlns:ogc="http://www.opengis.net/ogc"> <ogc:PropertyIsEqualTo matchCase="false"> <ogc:PropertyName>nummer</ogc:PropertyName> <ogc:Literal>10</ogc:Literal> </ogc:PropertyIsEqualTo> </ogc:Filter> </wfs:Query> </wfs:GetFeature>
=>
<ows:ExceptionReport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.1.0" xmlns:ows="http://www.opengis.net/ows" language="en-US" xsi:schemaLocation="http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd"> <ows:Exception locator="mapserv" exceptionCode="NoApplicableCode"> <ows:ExceptionText>msWFSGetFeature(): WFS server error. FLTApplyFilterToLayer() failed msPostGISLayerWhichShapes(): Query error. Error (ERROR: operator does not exist: character varying = integer LINE 1: ...00 1240000,2590000 1240000))',2056) and (( ("nummer"= 10) )) ^ HINT: No operator matches the given name and argument type(s). You might need to add explicit type casts. ) executing query: select "gs_id","lsn_oid","nummer","gueltigkeit","art","gemeinde_id_bfs","meta_id","flaechenmass","nummer_m_deko","nbident","vollstaendigkeit","datenherr","mut_nummer",encode(ST_AsBinary(ST_Force_2D("geom"),'NDR'),'hex') as geom,"gs_id" from (SELECT * FROM av_ls.v_grundstueck) AS foo where geom && GeomFromText('POLYGON((2590000 1240000,2590000 1275000,2645000 1275000,2645000 1240000,2590000 1240000))',2056) and (( ("nummer"= 10) ))</ows:ExceptionText> </ows:Exception> </ows:ExceptionReport>
When we query a string with only digit it query it as numbers ...
Attachments (4)
Change History (17)
comment:1 by , 13 years ago
Cc: | added |
---|---|
Component: | MapServer C Library → WFS Server |
Owner: | changed from | to
by , 13 years ago
Attachment: | 4087.patch added |
---|
comment:2 by , 13 years ago
Hello,
I attach a patch for the security issue, For the other issue it's just because I miss this metadata: "gml_types" "auto"
CU Stéphane
by , 13 years ago
Attachment: | 4087_with_msFree.patch added |
---|
comment:5 by , 13 years ago
Component: | WFS Server → Security/Vulnerability (Private) |
---|---|
Owner: | changed from | to
comment:6 by , 13 years ago
Worthy of a 6.0.2 and 5.6.8? Same process as before I take it. Argh...
Steve
comment:7 by , 13 years ago
Cc: | added |
---|
comment:8 by , 13 years ago
Bump... Need to figure out a plan with this. I take it that this isn't "as" exploitable as it might have been before the 6.0.1/5.6.7/... releases but that there still are risks. Am I wrong?
Steve
comment:9 by , 13 years ago
Alan, can you please look into this to be included in a 6.0.2?
The encoding may be sufficient to fix the issue, but it's a bit embarassing to be leaking the full SQL query. Should we not change the code to msDebug() the SQL query, and msSetError() only a more generic error message?
comment:10 by , 12 years ago
comment:11 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Can be close, error report have been fixed in trunk and branch 6.0.
comment:12 by , 12 years ago
Should this be back ported to 5.6 (or at least patches provided_? I figure lot's of folks have not taken the 6.x plunge.
Steve
patch to fix the security issue