[Geoserver-devel] [JIRA] (GEOS-9010) XSS on format parameter for WMTS layers

Thibault created an issue

GeoServer / BugGEOS-9010

XSS on format parameter for WMTS layers

Issue Type:

BugBug

Assignee:

Unassigned

Attachments:

XXS-POC.png

Created:

14/Nov/18 3:24 PM

Environment:

CentOS

Priority:

HighHigh

Reporter:

Thibault

Hello GeoServer Team,

I found a XSS vulnerability during a penetration test today.

It’s on the format paremeter of the /wmts endpoint.
https://customer.domain/geoserver/wmts?layer=LAYER_USED&style=normal&tilematrixset=PM&Service=WMTS&Request=GetTile&Version=1.0.0&format=image/png

If you open this url with a browser and if you change the format parameter value by : <something:script xmlns:something=“http://www.w3.org/1999/xhtml”>alert(‘TEST TEST’)</something:script>

Tadaa !

I’m sorry I’m not able to give you the version of Geoserver used by our customer.
Please let me know if you have any questions.

Thank you,
Thibault

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100095-sha1:c772008)

Atlassian logo