Hi,

In general, how do you handle potential security flaws? Do we discuss the potential flaw here on the mailing list?

Regards

Hi List,
Cc’ing the dev list too because this raises a question that some googling doesn’t answer - does GeoServer have a Responsible (or Full) Disclosure policy? I can’t seem to find anything which is surprising given the nature of GeoServer as a server and thus potentially a portal into many organisations.

Those with commercial support can go to their vendor, but a security researcher (or just random person) won’t have that. And beyond that, it doesn’t address whether GeoServer should go with Full or Responsible disclosure (or something else) - something for the PSC? Many projects have a “security@anonymised.com…” email address which points to something private.

https://en.wikipedia.org/wiki/Responsible_disclosure

and
https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)

Thoughts?
Cheers,
Jonathan

---------- Forwarded message ----------
From: Isakson Mats <Mats.K.Isaksson@anonymised.com>
Date: 9 May 2014 12:32
Subject: [Geoserver-users] Handling of a detected security flaw
To: “geoserver-users@lists.sourceforge.net” <geoserver-users@lists.sourceforge.net>

Hi,

In general, how do you handle potential security flaws? Do we discuss the potential flaw here on the mailing list?

Regards

Mats Isakson

Systemutvecklare

Lantmäteriet, Division Informationsförsörjning

the Swedish mapping, cadastral and land registration authority

Box 820, 981 28 Kiruna

E-post: mats.k.isaksson@anonymised.com

Tel: +46 980 670 46

Mobil: +46 72 242 37 24

www.lantmateriet.se

Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
� 3 signs your SCM is hindering your productivity
� Requirements for releasing software faster
� Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

This transmission is intended for the named addressee(s) only and may contain confidential, sensitive or personal information and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

On Fri, May 9, 2014 at 1:32 PM, Isakson Mats <Mats.K.Isaksson@anonymised.com> wrote:

Hi,

In general, how do you handle potential security flaws? Do we discuss the
potential flaw here on the mailing list?

There are two possible mechanisms:
* the open source way, in the open, on the mailing list
* the commercial way, in private, with a commercial support provider

It would be nice to have a "free but private" way, to do that we'd need
some staff that
has paid time to look at these issues from e.g., a foundation of sorts, but
that's not
something we have available (or that was ever discussed)

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Hi,

Ok, the open source way is fine with me.

During a security test we discovered that there is a potential XSS (Cross site scripting) flaw in the generation of service exceptions in (some) WMS and WFS services of Geoserver 2.4.x. I haven ‘t been able to test using Geoserver 2.5, perhaps the flaw is fixed? Please let me know if so.

WFS Proof of concept:

WFS 1.0 PoC: http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=“><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload=“alert%28%27xss%27%29”/><”&VERSION=1.0

If I remove the version info, or use WFS version=2.0, the service exception is encoded properly, and no injection is possible:

WFS (without version): http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=“><a%20xmlns:a=‘http://www.w3.org/1999/xhtml’><a:body%20onload=“alert(‘xss’)”/></a><”

The WMS service behaves differently. Using no version (or version 1.3.0), the XSS is “successfull”. Using 1.1.1 version the content-type response header is set to application/vnd.ogc.se_xml, hence no execution in the browser.

WMS Proof of concept:

WMS (without version): http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=“><a%20xmlns:a=‘http://www.w3.org/1999/xhtml’><a:body%20onload=“alert(‘xss’)”/></a><”

Using version 1.1.1 set’s the content-type header to application/vnd.ogc.se_xml:

WMS (version 1.1.1): http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=“><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload=“alert%28%27xss%27%29”/><”&version=1.1.1

It seems to me that the correct handling of service exception is implemented in the WFS 2.0 “handler”, is it possible to update the source of the other to behave similar?

Regards

Mats

I just tried that on my 2.5 box and got a popup with css in it.

Russ

On 9 May 2014, at 16:17, Isakson Mats <Mats.K.Isaksson@anonymised.com> wrote:

http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=“><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload=“alert%28%27xss%27%29”/><”&VERSION=1.0

For css read xss (Spell checker)

Russ

On 9 May 2014, at 16:30, Russell Hore <russ@anonymised.com> wrote:

I just tried that on my 2.5 box and got a popup with css in it.

Russ

On 9 May 2014, at 16:17, Isakson Mats <Mats.K.Isaksson@anonymised.com> wrote:

http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=“><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload=“alert%28%27xss%27%29”/><”&VERSION=1.0

This one:

http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=“><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload=“alert%28%27xss%27%29”/><”

triggers on my 2.5-snapshot (8th May) and my 2.4.3.

None of the others trigger on either 2.4.3 or the snapshot for me.

On Fri, May 9, 2014 at 5:58 PM, Jonathan Moules <
jonathanmoules@anonymised.com> wrote:

I'm not sure I'd agree with Andrea's assessment of there only being two
ways to divulge a bug. Per my original post, there is the third way:
Responsible disclosure, and it is compatible with Open Source. The notion
behind it is that only developers get informed of the bug until a patch is
ready so as to minimise the risk of raising awareness\use by blackhats
before it can be defended against. Once a patch is developed (in a timely
fashion!), information is disclosed to all.
There are advantages and disadvantages to all methods.

This works under the assumption that someone will take out a sunday to
develop the security patch.
Which does not match reality, we have a pull request against a old version
of GeoServer
to fix a XSS vulnerability that has been sitting there for months now,
nobody took it over and
updated it to work with the current versions (
https://github.com/geoserver/geoserver/pull/466)

Of course the patch itself cannot be merged, 2.1.x has been unmaintaned for
years, but taking
it over also means starting a discussion about adding new dependencies to
geoserver and the like...

When I see people talking so casually about the open source developers
taking over this work
in a timely fashion I would like them to have them spend some weekends with
me as I go
though bug reports and pull requests instead of getting out and relax a
bit...

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

This transmission is intended for the named addressee(s) only and may contain confidential, sensitive or personal information and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

In the future I recommend joining the Skype meeting that happens every two weeks it is a suitable publuc/ open to all way communicate that is not immedtiatly searchable.

The other avenue is via the OSGeo foundation, where we have Andrea as a GeoServer project officer who can be contacted on sensitive issues. Durning OSGeo incubation we are always sure to have a bit of this personal contact as that process often turns up trademark or IP Issues.

On Sat, May 10, 2014 at 7:40 AM, Jody Garnett <jody.garnett@anonymised.com>wrote:

In the future I recommend joining the Skype meeting that happens every two
weeks it is a suitable publuc/ open to all way communicate that is not
immedtiatly searchable.

The other avenue is via the OSGeo foundation, where we have Andrea as a
GeoServer project officer who can be contacted on sensitive issues. Durning
OSGeo incubation we are always sure to have a bit of this personal contact
as that process often turns up trademark or IP Issues.

Mind, while I'm project officer and people can contact me, the full extent
of what I'll do in this case will be to open a ticket with the details or
the issue.
I already play jira and pull request gardener, let's have someone else be
the security caretaker.

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

It was more that you are the first point of contact for any osgeo biz, or in this case a private word. I expect if it was an issue worth keeping off email we would figure it out on Skype and reach out to osgeo and/or others for help.

We have had a couple delicate things over the years, each time we muddle through

On Sat, May 10, 2014 at 9:50 PM, Jody Garnett <jody.garnett@anonymised.com>wrote:

It was more that you are the first point of contact for any osgeo biz, or
in this case a private word. I expect if it was an issue worth keeping off
email we would figure it out on Skype and reach out to osgeo and/or others
for help.

Jody, you don't seem to understand, so let me be clear: I am not available
for this kind of duty. If this is considered unacceptable, then I'll step
down as a OSGeo representative effective immediately, just let me know

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

I would hope any PMC is available. But to be clear I have had 2 OSGeo requests, have you had any OSGeo requests?

On Sat, May 10, 2014 at 10:29 PM, Jody Garnett <jody.garnett@anonymised.com>wrote:

I would hope any PMC is available. But to be clear I have had 2 OSGeo
requests, have you had any OSGeo requests?

Never received any direct mail from OSGeo for any GeoServer related matter

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Agreed.

Another way of raising a sensitive issue is private email to the members of the Project Steering Committee (addresses can be found on the mailing list):
http://docs.geoserver.org/latest/en/developer/policies/psc.html#current-psc

Active committee members can be identified their mention in the meeting minutes that are sent to this list fortnightly.

The next Skype meeting is on Tuesday at 13:00 UTC.

Committee members or the OSGeo Project officer are not expected to *fix* the problem; their main role is to make sure that other committee members or relevant component owners are aware and that issues are assessed and not forgotten. Process and communication.

Kind regards,
Ben.

On 10/05/14 13:40, Jody Garnett wrote:

In the future I recommend joining the Skype meeting that happens every
two weeks it is a suitable publuc/ open to all way communicate that is
not immedtiatly searchable.

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre