[Geoserver-devel] cross site scripting vulnerability

Hi list,

Following a security audit on our server running OpenLayers 2.12 and Geoserver 2.3.0 a potential for Cross site Scripting has been highlighted.

Scripts could potentially be injected into requests to “GetLegendGraphic”.

I saw the post http://osgeo-org.1560.x6.nabble.com/Some-results-of-external-security-test-cross-site-scripting-and-request-for-a-bit-of-help-on-fixes-td5039681.html which mentions fixes going into Geoserver 2.1.x.

Can you tell me whether these fixes are now in version 2.3.x and whether there are any other parts of the software which are potentially vulnerable.

We cannot proceed with our website until we resolve these issues.

Many thanks

Justin Clowes | Jacobs | Principal GIS Developer, Information Management & GIS | +44.(0)141.243.8138 | +44.(0)7879 425506 (m | www.jacobs.com


NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.


Jacobs U.K. Limited
1180 Eskdale Road, Winnersh, Wokingham RG41 5TU
Registered in England and Wales under number 2594504

On Mon, Aug 12, 2013 at 3:50 PM, Clowes, Justin <Justin.Clowes@anonymised.com>wrote:

Hi list,****

** **

Following a security audit on our server running OpenLayers 2.12 and
Geoserver 2.3.0 a potential for Cross site Scripting has been highlighted.
****

** **

Scripts could potentially be injected into requests to “GetLegendGraphic”.
****

** **

I saw the post
http://osgeo-org.1560.x6.nabble.com/Some-results-of-external-security-test-cross-site-scripting-and-request-for-a-bit-of-help-on-fixes-td5039681.htmlwhich mentions fixes going into Geoserver 2.1.x.
****

** **

Can you tell me whether these fixes are now in version 2.3.x and whether
there are any other parts of the software which are potentially vulnerable.

I don't think they ever did, they have not been turned into a pull request
and were lost (and they will likely stay that way until
someone makes a pull request or sponsors some working hours to review and
merge those changes).

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Thanks Andrea,

There don't seem to be many users with the same problem.

Would you recommend making the changes ourselves on top of Geoserver 2.3.x?

regards
Justin Clowes | Jacobs | Principal GIS Developer, Information Management & GIS | +44.(0)141.243.8138 | +44.(0)7879 425506 (mobile) | justin.clowes@anonymised.com3822...<mailto:justin.clowes@anonymised.com> | www.jacobs.com<http://www.jacobs.com/&gt;

________________________________
From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: 12 August 2013 15:16
To: Clowes, Justin
Cc: Geoserver-devel
Subject: Re: [Geoserver-devel] cross site scripting vulnerability

On Mon, Aug 12, 2013 at 3:50 PM, Clowes, Justin <Justin.Clowes@anonymised.com<mailto:Justin.Clowes@anonymised.com>> wrote:
Hi list,

Following a security audit on our server running OpenLayers 2.12 and Geoserver 2.3.0 a potential for Cross site Scripting has been highlighted.

Scripts could potentially be injected into requests to "GetLegendGraphic".

I saw the post http://osgeo-org.1560.x6.nabble.com/Some-results-of-external-security-test-cross-site-scripting-and-request-for-a-bit-of-help-on-fixes-td5039681.html which mentions fixes going into Geoserver 2.1.x.

Can you tell me whether these fixes are now in version 2.3.x and whether there are any other parts of the software which are potentially vulnerable.

I don't think they ever did, they have not been turned into a pull request and were lost (and they will likely stay that way until
someone makes a pull request or sponsors some working hours to review and merge those changes).

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

________________________________
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

________________________________
Jacobs U.K. Limited
1180 Eskdale Road, Winnersh, Wokingham RG41 5TU
Registered in England and Wales under number 2594504

On Mon, Aug 12, 2013 at 5:25 PM, Clowes, Justin <Justin.Clowes@anonymised.com>wrote:

******

Thanks Andrea,****

** **

There don’t seem to be many users with the same problem.****

** **

Would you recommend making the changes ourselves on top of Geoserver 2.3.x?

I guess it would be nice, and then, if you can make a pull request, we'd
avoid losing it a second time

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

I secondo what Andrea said,
if you provide a pull request for this, I will make sure we won't loose it!
Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Mon, Aug 12, 2013 at 5:27 PM, Andrea Aime
<andrea.aime@anonymised.com> wrote:

On Mon, Aug 12, 2013 at 5:25 PM, Clowes, Justin <Justin.Clowes@anonymised.com>
wrote:

Thanks Andrea,

There don’t seem to be many users with the same problem.

Would you recommend making the changes ourselves on top of Geoserver
2.3.x?

I guess it would be nice, and then, if you can make a pull request, we'd
avoid losing it a second time

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ok I've made these changes and I'm attempting to compile geoserver in Maven.
I'm afraid I'm new to Maven and this build process.
I'm getting the build error :

[ERROR]
\geoserver233b\geoserver-2.3.3\platform\src\main\java\org\geoserver\plat
form\ServiceException.java:[193,9] cannot find symbol
[ERROR] symbol : variable Encode

"Encode" is a separate component in a jar file.
Can anyone tell me where this jar file should be placed and how it is should
be referenced in the pom.xml
I already have the following in ows\pom.xml

<dependency>
  <groupId>org.owasp.encoder</groupId>
  <artifactId>encoder</artifactId>
  <version>1.1</version>
  <scope>system</scope>
    <systemPath>${basedir}/encoder-1.1.jar</systemPath>
  </dependency>

I'm trying to add a path to the jar file but I'm not sure if this is the
correct approach.

Any help is appreciated.

regards

Justin Clowes | Jacobs | Principal GIS Developer, Information Management &
GIS | +44.(0)141.243.8138 | +44.(0)7879 425506 (mobile) |
justin.clowes@anonymised.com | www.jacobs.com

-----Original Message-----
From: Simone Giannecchini [mailto:simone.giannecchini@anonymised.com]
Sent: 14 August 2013 10:45
To: Andrea Aime
Cc: Geoserver-devel; Clowes, Justin
Subject: Re: [Geoserver-devel] cross site scripting vulnerability

I secondo what Andrea said,
if you provide a pull request for this, I will make sure we won't loose it!
Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Mon, Aug 12, 2013 at 5:27 PM, Andrea Aime
<andrea.aime@anonymised.com> wrote:

On Mon, Aug 12, 2013 at 5:25 PM, Clowes, Justin <Justin.Clowes@anonymised.com>
wrote:

Thanks Andrea,

There don't seem to be many users with the same problem.

Would you recommend making the changes ourselves on top of Geoserver
2.3.x?

I guess it would be nice, and then, if you can make a pull request, we'd
avoid losing it a second time

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

-----------------------------------------------------------------------------
-

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

-----------------------------------------------------------------------------
-
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Jacobs U.K. Limited
1180 Eskdale Road, Winnersh, Wokingham RG41 5TU
Registered in England and Wales under number 2594504

Hi list,

Sorry I didn't finish the work completely and missed these emails.
Justin, I'll try to help you with my initial work. Would be great if you could create a pull request (I am working on other projects now) for the newer Geoserver versions, otherwise I try to find time one of these days to do that.

Regards,
Thijs

On 28-08-13 18:05, Clowes, Justin wrote:

Ok I've made these changes and I'm attempting to compile geoserver in Maven.
I'm afraid I'm new to Maven and this build process.
I'm getting the build error :

[ERROR]
\geoserver233b\geoserver-2.3.3\platform\src\main\java\org\geoserver\plat
form\ServiceException.java:[193,9] cannot find symbol
[ERROR] symbol : variable Encode

"Encode" is a separate component in a jar file.
Can anyone tell me where this jar file should be placed and how it is should
be referenced in the pom.xml
I already have the following in ows\pom.xml

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder</artifactId>
   <version>1.1</version>
   <scope>system</scope>
     <systemPath>${basedir}/encoder-1.1.jar</systemPath>
   </dependency>

I'm trying to add a path to the jar file but I'm not sure if this is the
correct approach.

Any help is appreciated.

regards

Justin Clowes | Jacobs | Principal GIS Developer, Information Management &
GIS | +44.(0)141.243.8138 | +44.(0)7879 425506 (mobile) |
justin.clowes@anonymised.com | www.jacobs.com

-----Original Message-----
From: Simone Giannecchini [mailto:simone.giannecchini@anonymised.com]
Sent: 14 August 2013 10:45
To: Andrea Aime
Cc: Geoserver-devel; Clowes, Justin
Subject: Re: [Geoserver-devel] cross site scripting vulnerability

I secondo what Andrea said,
if you provide a pull request for this, I will make sure we won't loose it!
Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Mon, Aug 12, 2013 at 5:27 PM, Andrea Aime
<andrea.aime@anonymised.com> wrote:

On Mon, Aug 12, 2013 at 5:25 PM, Clowes, Justin <Justin.Clowes@anonymised.com>
wrote:

Thanks Andrea,

There don't seem to be many users with the same problem.

Would you recommend making the changes ourselves on top of Geoserver
2.3.x?

I guess it would be nice, and then, if you can make a pull request, we'd
avoid losing it a second time

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

-----------------------------------------------------------------------------
-

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

-----------------------------------------------------------------------------
-
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Jacobs U.K. Limited
1180 Eskdale Road, Winnersh, Wokingham RG41 5TU
Registered in England and Wales under number 2594504

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Wed, Aug 28, 2013 at 6:05 PM, Clowes, Justin <Justin.Clowes@anonymised.com>wrote:

Ok I've made these changes and I'm attempting to compile geoserver in
Maven.
I'm afraid I'm new to Maven and this build process.
I'm getting the build error :

[ERROR]
\geoserver233b\geoserver-2.3.3\platform\src\main\java\org\geoserver\plat
form\ServiceException.java:[193,9] cannot find symbol
[ERROR] symbol : variable Encode

"Encode" is a separate component in a jar file.
Can anyone tell me where this jar file should be placed and how it is
should
be referenced in the pom.xml
I already have the following in ows\pom.xml

<dependency>
  <groupId>org.owasp.encoder</groupId>
  <artifactId>encoder</artifactId>
  <version>1.1</version>
  <scope>system</scope>
    <systemPath>${basedir}/encoder-1.1.jar</systemPath>
  </dependency>

I'm trying to add a path to the jar file but I'm not sure if this is the
correct approach.

With Maven you never have jars to be installed locally or to be put among
the
sources, you just declare a dependency and Maven will download it on
the disk in the proper place for you.

I believe this is the dependency you're looking for?

http://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.1

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Thanks for your help and to Thijs Brentjens.
Geoserver builds sucessfully and these changes have solved cross site scripting problem

According to our security audit we have a similar problem with error message. The following is deemed a risk :
/geoserver230/wms URL encoded GET input HEIGHT was set to Error
message found: java.lang.NumberFormatException:

For input string:

GET
/geoserver230/wms?FORMAT=image/png&HEIGHT=&LAYER=mylayer&REQUEST=GetLegendGraphic&Transparent=true&VERSION=1.0.0&WIDTH=20

I've checked the global settings that we are not outputing verbose messages.

Is there any way to change the error response or to redirect before this is output, or does the Java need changing again?

Our security scan software seems very strict, I don't see that many users with similar issues.

thanks
Justin Clowes | Jacobs | Principal GIS Developer, Information Management & GIS | +44.(0)141.243.8138 | +44.(0)7879 425506 (mobile) | justin.clowes@anonymised.com3822...<mailto:justin.clowes@anonymised.com> | www.jacobs.com<http://www.jacobs.com/&gt;

________________________________
From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: 29 August 2013 09:32
To: Clowes, Justin
Cc: Geoserver-devel
Subject: Re: [Geoserver-devel] cross site scripting vulnerability

On Wed, Aug 28, 2013 at 6:05 PM, Clowes, Justin <Justin.Clowes@anonymised.com<mailto:Justin.Clowes@anonymised.com>> wrote:
Ok I've made these changes and I'm attempting to compile geoserver in Maven.
I'm afraid I'm new to Maven and this build process.
I'm getting the build error :

[ERROR]
\geoserver233b\geoserver-2.3.3\platform\src\main\java\org\geoserver\plat
form\ServiceException.java:[193,9] cannot find symbol
[ERROR] symbol : variable Encode

"Encode" is a separate component in a jar file.
Can anyone tell me where this jar file should be placed and how it is should
be referenced in the pom.xml
I already have the following in ows\pom.xml

<dependency>
  <groupId>org.owasp.encoder</groupId>
  <artifactId>encoder</artifactId>
  <version>1.1</version>
  <scope>system</scope>
    <systemPath>${basedir}/encoder-1.1.jar</systemPath>
  </dependency>

I'm trying to add a path to the jar file but I'm not sure if this is the
correct approach.

With Maven you never have jars to be installed locally or to be put among the
sources, you just declare a dependency and Maven will download it on
the disk in the proper place for you.

I believe this is the dependency you're looking for?

http://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.1

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

________________________________
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

________________________________
Jacobs U.K. Limited
1180 Eskdale Road, Winnersh, Wokingham RG41 5TU
Registered in England and Wales under number 2594504