Tim Schaub created GEOS-5318 |
Issue Type: |
Bug |
Affects Versions: |
2.2-RC3 |
Assignee: |
|
Components: |
WMS |
Created: |
20/Sep/12 3:26 PM |
Description: |
The application/openlayers WMS output format allows for script injection in the rendered page. It looks like the endpoint takes any user provided query string parameters and includes them as WMS layer parameters (all uppercased) and as GetFeatureInfo parameters (unaltered). Some browsers (recent WebKit) will not execute scripts found to have the same text as query string parameters/values, but other browsers will execute these scripts. This would allow Evil Hacker to to pass a link to GeoServer User and have a script running on GeoServer User’s page that could send information back to Evil Hacker without GeoServer’s knowledge. To avoid this vulnerability, all user provided query string parameters and values should be sanitized/html-escaped before including them in page content. |
Project: |
|
Priority: |
Major |
Reporter: |