Hi list, Recently a security expert took a look at an application, using Geoserver, I have been working on. I'd like to share some results of that test and discuss two vulnerabilities found. And I am looking for already existing / possible solutions (before starting to develop something myself), so hopefully someone can help.
Background on the test ---------------------- The application involved uses a WMS, a WFS and TMS/WMTS served by GeoServer/GeoWebCache. A very common situation. Note that this instance of GeoServer will not be entirely exposed to the public (for example: the webadmin is not exposed in this case and therefore not vulnerable and the network people have taken some measures). In addition, GeoServer runs in "read-only" mode: editing data is not possible. So the data itself is not at risk. The security expert has performed several tests and referred to OWASP (https://www.owasp.org) among others. Very interesting stuff. The tests were performed on the (OGC) service interfaces alone. The issues ---------- The security tests showed only 2 improvements / vulnerabilities for GeoServer. The other tests (like SQL injection etc) all seemed fine, which is good news! So compliments & thanks to the GeoServer team! The 2 remaining issues are: 1) vulnerability for cross site scripting (XSS). High risk, as identified by the security expert, on a few places 2) (OGC) Service Exceptions expose technical, implementation details. Low risk. re 1): There is/was some discussion on XSS already, I noticed: http://jira.codehaus.org/browse/GEOS-5318 --> still open http://jira.codehaus.org/browse/GEOS-4210 --> says for GWC a fix has been done a while ago. From another source: http://itsecuritysolutions.org/2012-04-13-ActiveX,-Remote-DoS-and-XSS/, also lists some XSS vulnerabilities for GS 2.1.4 Summary: in 2.1.x XSS can be used by exploiting the Service Exceptions for WMS and WFS. This is confirmed in our test. In 2.2.x this seems to be fixed already for WMS and WFS. However 2.2.x versions still are vulnerable. For example: WMTS by GWC is vulnerable, http://localhost:8080/geoserver/gwc/service/wmts?request=<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload="alert('xss')"/></a>. Before I get my hands dirty myself: has someone a solution available maybe (I can't see any activity now, but you never know) or knows of something? Or can someone point me to where the fixes between 2.1 and 2.2 have been done to avoid XSS? Maybe I could use that for my client (and in the end others) and use it to fix some other XSS issues as well. If not, I'll dive into the code :). re 2) To me this vulnerability (service exceptions expose technical details) is less relevant, since you can get all information easily once you know that Geoserver is used and you can easily find the documentation and source code. However, my client (and the security expert) wishes to make it hard for hackers-with-bad-intentions to exploit anything. They have a point there. So probably we might end up avoiding stack traces in Service Exceptions. Maybe we could have a flag to set if stack traces should be reported? My client would like to have a solution others could benefit from as well, ideally in the GS code base. Therefore: any thoughts, pointers etc on stack traces in the Service Exceptions are appreciated :). Any ideas? Ok, enough for now :). (And sorry for the long email..) Thijs ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
