[Geoserver-devel] [jira] (GEOS-5318) cross-site scripting vulnerability in layer preview pages

Tim Schaub created BugGEOS-5318
cross-site scripting vulnerability in layer preview pages

Issue Type:

BugBug

Affects Versions:

2.2-RC3

Assignee:

Andrea Aime

Components:

WMS

Created:

20/Sep/12 3:26 PM

Description:

The application/openlayers WMS output format allows for script injection in the rendered page. It looks like the endpoint takes any user provided query string parameters and includes them as WMS layer parameters (all uppercased) and as GetFeatureInfo parameters (unaltered).

Here’s an example:
http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-122.911,42.289,-122.777,42.398&width=512&height=416&srs=EPSG:4326&format=application/openlayers&%3C%2Fscript%3E%3Cscript%3Ealert%28%27x-scripted%27%29%3C%2Fscript%3E%3Cscript%3E=foo

Some browsers (recent WebKit) will not execute scripts found to have the same text as query string parameters/values, but other browsers will execute these scripts.

This would allow Evil Hacker to to pass a link to GeoServer User and have a script running on GeoServer User’s page that could send information back to Evil Hacker without GeoServer’s knowledge.

To avoid this vulnerability, all user provided query string parameters and values should be sanitized/html-escaped before including them in page content.

Project:

GeoServer

Priority:

MajorMajor

Reporter:

Tim Schaub

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your [JIRA administrators](https://jira.codehaus.org/secure/ContactAdministrators!default.jspa). For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)