[Geoserver-devel] [JIRA] (GEOS-8805) Reflected cross-site scripting vulnerabilities in wms

GeoServer GeoServer Developer
1

Nenad Steric created an issue

GeoServer / BugGEOS-8805

Reflected cross-site scripting vulnerabilities in wms

Issue Type:

BugBug

Affects Versions:

2.13.1

Assignee:

Unassigned

Components:

WMS

Created:

27/Jun/18 1:10 PM

Environment:

Centos 7

Priority:

MediumMedium

Reporter:

Nenad Steric

From our security test :
The name of an arbitrarily supplied URL parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 25064;alert(1)//419 was submitted in the name of an arbitrarily supplied URL parameter. This input was echoed as 25064;ALERT(1)//419 in the application’s response.

GET /geoserver/nurc/wms?service=WMS&version=1.1.0&request=GetMap&layers=nurc:Arc_Sample&styles=&bbox=-180.0,-90.0,180.0,90.0&width=768&height=384&srs=EPSG:4326&format=application/openlayers&25064%3balert(1)%2f%2f419=1 HTTP/1.1

*Response *
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN

params:

{‘FORMAT’: format, ‘VERSION’: ‘1.1.1’, 25064;ALERT(1)//419: ‘1’, STYLES: ‘’, LAYERS: ‘nurc:Arc_Sample’, }

This is for
/geoserver/nurc/wms
/geoserver/sf/wms
etc…

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS

This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100088-sha1:29e3749)

Atlassian logo