Dear all,

We are hosted Geoserver (2.9.0 version) application in our office to accomplish the GIS activities.Before to hosted this software in our data center this software should be audit for vulnerabilities.

The security assessment of application found some of the vulnerabilities.Hereby I attached some of the vulnerabilities details for your reference.

Kindly look into the attachment and kindly instruct us to fixing the vulnerabilities.

Details of software used:-

Geoserver-Version 2.9.0

Java version:- JDK1.8.0_121

Apache Tomcat:-apache-tomcat-8.0.41

Web Services created:- WMS and WFS

vulnerability details are attached with description and impact of that vulnerability and also the solution to resolve.So it is request to instruct to resolve issue

–

Thanks & Regards,
Sharath Shetty
M: 7259590267

Brute force attack vulnerability.pdf (115 KB)

Clickjacking vulnerability.pdf (168 KB)

autocomplete and remember password field enabled.pdf (241 KB)

improper error handling and version disclosure.pdf (231 KB)

session fixation.pdf (126 KB)

First off, GeoServer has a “responsible disclosure” policy that your mail violates in a most severe way:
https://osgeo-org.atlassian.net/projects/GEOS/summary

About the issues:

• Session fixation has been solved in 2.9.3, you’ll have to upgrade, see https://osgeo-org.atlassian.net/browse/GEOS-7849
• The improper error handling can likely be addressed by un-checking “verbose exception reporting” in the global sessions page, see also http://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#verbose-exception-reporting
• The other three have to do with the UI, the common practice is to not expose the user interface to the web, using a proxy and only allowing service paths (geoserver/ows, geoserver/wms, geoserver/wfs for example) to be called from outside, while allowing only access to the UI from specific IPs.
  Regards

Andrea

Hi Andrea,

“The other three have to do with the UI, the common practice is to not expose the user interface to the web, using a proxy and only allowing service paths (geoserver/ows, geoserver/wms, geoserver/wfs for example) to be called from outside, while allowing only access to the UI from specific IPs.”

I have to respectfully but strongly disagree here. I’d certainly say that’s good practice, but it’s not common practice.

To confirm my hypothesis, I just scraped about 650 different /geoserver/web pages scattered across the internet and I received over five hundred (500) responses that had a 200 response code. So I’d suggest that anything that effects the user interface should certainly be considered a security bug and treated accordingly.
Alas, relying on users/admins to do things properly is always a recipe for disaster when it comes to security.

Cheers,
Jonathan

---- On Sat, 25 Mar 2017 15:35:23 +0000 Andrea Aime <andrea.aime@anonymised.com7…> wrote ----

First off, GeoServer has a “responsible disclosure” policy that your mail violates in a most severe way:
https://osgeo-org.atlassian.net/projects/GEOS/summary

About the issues:

• Session fixation has been solved in 2.9.3, you’ll have to upgrade, see https://osgeo-org.atlassian.net/browse/GEOS-7849
• The improper error handling can likely be addressed by un-checking “verbose exception reporting” in the global sessions page, see also http://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#verbose-exception-reporting
• The other three have to do with the UI, the common practice is to not expose the user interface to the web, using a proxy and only allowing service paths (geoserver/ows, geoserver/wms, geoserver/wfs for example) to be called from outside, while allowing only access to the UI from specific IPs.
  Regards

Andrea

On Sat, Mar 25, 2017 at 12:29 PM, Sharath Shetty <sharath@anonymised.com> wrote:

Dear all,

We are hosted Geoserver (2.9.0 version) application in our office to accomplish the GIS activities.Before to hosted this software in our data center this software should be audit for vulnerabilities.

The security assessment of application found some of the vulnerabilities.Hereby I attached some of the vulnerabilities details for your reference.

Kindly look into the attachment and kindly instruct us to fixing the vulnerabilities.

Details of software used:-

Geoserver-Version 2.9.0

Java version:- JDK1.8.0_121

Apache Tomcat:-apache-tomcat-8.0.41

Web Services created:- WMS and WFS

vulnerability details are attached with description and impact of that vulnerability and also the solution to resolve.So it is request to instruct to resolve issue

–

Thanks & Regards,
Sharath Shetty
M: 7259590267

---

Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313

fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

---

---

Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On Tue, Mar 28, 2017 at 7:59 PM, Jonathan Moules <
jonathan-lists@anonymised.com> wrote:

Hi Andrea,

"The other three have to do with the UI, the common practice is to not
expose the user interface to the web, using a proxy and only allowing
service paths (geoserver/ows, geoserver/wms, geoserver/wfs for example) to
be called from outside, while allowing only access to the UI from specific
IPs."

I have to respectfully but strongly disagree here. I'd certainly say
that's *good* practice, but it's *not* common practice.

It is common in security conscious setups (military and the like). But yes,
those are indeed not common.

To confirm my hypothesis, I just scraped about 650 different
/geoserver/web pages scattered across the internet and I received over five
hundred (500) responses that had a 200 response code. So I'd suggest that
anything that effects the user interface should certainly be considered a
security bug and treated accordingly.

Do not worry, we are doing that, you just don't see any discussion about it
because it's security related (and there is no funding attached, so fixes
won't happen overnight).

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------