[Geoserver-devel] Cross-site scripting in Geoserver 2.4.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recently scanned a new Geoserver 2.4.2 installation with HP WebInspect and the application
found cross-site and cross-frame scripting vulnerabilities in the Geoserver code. I'd like to
report these so they can get fixed, but because of security policies (this is a US government
site) I can't just send the WebInspect report to a mailing list.

The cross-site scripting vulnerability is in /geoserver/view/wms and the cross-frame
vulnerability is in /geoserver/index.html. If someone will email me (michael.raugh@anonymised.com)
with a direct contact email address, I will send them the full WebInspect scan report with the
details of what the request and response were.

Thanks,

<MR>
- -----------------------------------
Michael Raugh
NOAA/NESDIS-HQ Sr. Systems Engineer

On 12/24/2013 10:24 AM, geoserver-devel-request@lists.sourceforge.net wrote:

Send Geoserver-devel mailing list submissions to geoserver-devel@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/geoserver-devel or, via email, send a message
with subject or body 'help' to geoserver-devel-request@lists.sourceforge.net

You can reach the person managing the list at geoserver-devel-owner@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of
Geoserver-devel digest..."

Today's Topics:

1. Re: PNG encoder comparison - complex stylings (Jonathan Moules)

----------------------------------------------------------------------

Message: 1 Date: Tue, 24 Dec 2013 15:23:37 +0000 From: Jonathan Moules
<jonathanmoules@anonymised.com> Subject: Re: [Geoserver-devel] PNG encoder comparison
- complex stylings To: Andrea Aime <andrea.aime@anonymised.com> Cc: Geoserver-devel
<geoserver-devel@lists.sourceforge.net> Message-ID:
<CAA-xNcWFtVT+zeF3rxG9jgnzuS7KSxTRY=Z8a3zxiTNTR--vvQ@anonymised.com> Content-Type:
text/plain; charset="us-ascii"

Hi Andrea, Thanks for your investigations. I'm on Windows 64bit, so no native Image I/O
here. I guess that means we should be equal (Geoserver 2.4.3 here) but clearly yours is
much faster. In theory ours is somewhat optimised - we had Simone consult on it and tell me
the stuff I'd missed. I agree the throughput is somewhat meaningless which is why I'm using
ms averages. Also because that's how long the user will have to wait for their response
which is more important to me than throughput.

I chose that image size because that's the size of a single WMS request that our
web-application makes for a 1280*1024 monitor (what many of our users have). The idea of
the zoom threshold was to allow the different SLD's to take effect (though it's only one
set with the Strategi stuff, albeit with a few scale-thresholded layers).

=====

I've now been running these against our live systems too (normally that'd be rather
irresponsible, but it's Xmas eve and no-one is in;' probably the only day I can do this in
the year!). Our live server, which has a few less cores (12), and three load-balanced
instances is definitely much better able to handle 10 threads - I get a total average of
3316ms (2.9r/s) in that scenario (Oracle layers, PNG encoder). That uses 100% of the CPU
(~30% per instance). The optimum seems to be about 8 threads; any more than that and the
response time plummets.

However it's just as slow for 1 thread as the test system was.

Also, I'm new to Jmeter so don't know what the best plans are yet. This is a hybrid of
Christians and what the internet presented and what seemed to work.

----

In relation to your using PNGJ test - Your total average response times are about 1/3rd
mine (2.5s compared to my 7.5s for the same thing), while using a heck of a lot less CPU
power too. So either I have something really badly configured on my install, or Windows is
even more crippled than I thought.

Best, Jonathan

On 24 December 2013 14:55, Andrea Aime <andrea.aime@anonymised.com> wrote:

On Tue, Dec 24, 2013 at 2:43 PM, Jonathan Moules < jonathanmoules@anonymised.com>
wrote:

Hi Andrea, I've pre-packaged everything for you including the data. Layergroups, SLD's
(mine are completely different - no idea what theirs look like), and workspaces. I
think you'll just need to change where the stores are looking to wherever you put the
shapefiles, but you're going to know better than me.

z_test is the layergroup I'm testing against (it contains the EU basemap and strategi
layergroups).

http://maps.warwickshire.gov.uk/misc/strategi.zip - also includes the JMX.

Thanks. I made a very quick test with what I had handy, a GeoServer 2.4.x, Oracle JDK 7
(which has known scalability issues) and not even the Image/IO native PNG encoder enabled
(so, I'm using the slowest PNG encoder in the lot) with a core i7 820 (three years old
CPU) I get a throughput that is 2.4 times faster than yours (without even trying... but
I'm under Linux 64 bits, that might be a factor):

[image: Inline image 2]

CPU consumption was around 60%.

Btw, This JMeter setup is a bit different that what I'm used to, the various zoom levels
are not run sequentially, in isolation, but all together at the same time, using 10
threads, so the real throughput is the TOTAL one, 3.4r/s, the throughput value associated
to the various zoom levels is apparently meaningless? The size of the output image is
also a factor, it's "big" compared to the sizes that were used for the FOSS4G benchmarks,
at 1272x1261 it is roughly 4 times bigger than the average one used in last public
benchmarking effort.

When I have time I'll run some tests with OpenJDK and PNGJ and report back, and also have
a look at profiles, to see if there is anything obvious to optimize.

Cheers Andrea

-- *== GeoSolutions will be closed for seasonal holidays from 23/12/2013 to 06/01/2014
==*

Ing. Andrea Aime @geowolf Technical Lead

GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584
962313 fax: +39 0584 1660272 mob: +39 339 8844549

http://www.geo-solutions.it http://twitter.com/geosolutions_it

-------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSuajRAAoJEKqHKCLpKNmo0rMIALzfREmOcnN6fap7juSZ2dkR
0uw4jrFp9/qh7a2n2pglN3S86eAWtxCEUE/E/VaE4znAT1dr71Za4WJ76VMFq9EG
jPgrWywT0UQylaIQUtHJ71Tl2ss92MhpOPifKvzoblvc4SF1e2l7Gz0/YsI79HVX
xu0F/u0MXCe77KK3frqOzprAinvwC2KcUoIv92Cq9r3c++nf7QGkqgt7YFjGgB4t
5dn2krDk47siCRjBWxRqzyzof/eDVqebxLC6PSxI6vZ0tBLV7HO47vCnUUzwcbOc
7m6QfAHOG/XVluaymooAV9xlPHDQcNX735mbgSvJ9nbrniYyixTdTbiVYVdXxGE=
=YnOA
-----END PGP SIGNATURE-----