Hello Gabriel, Thanks for looking it up and pointing to the code! For the SRS parameter the solution you implemented seems to be good. The thing is, other (invalid) input could also be used for XSS.
If you would send this request to a Geoserver instance: http://localhost:8080/geoserver/gwc/service/wmts?request=<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload="alert('xss')"/></a> the script gets executed. So the request-parameter is vulnerable (SRS seems okay). In fact, most WMTS parameters seem to be vulnerable. I took a valid, working WMTS request and replaced several parameter values (like the format, request and tilematrixset params) with the value in the example above ( <a .... etc ... </a> ). If you execute that, the service exception triggers browsers to execute the script. If the exception report would HTML encode the input value of the parameter (if reporting it) that caused the exception, it should be fixed. The website https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet lists some measures that could be taken for all kinds of XSS. I think for Service Exceptions there is no need to cover all defenses. HTML encoding would do (there is no data input through CSS in a Service Exception for example..) because the input values are only reported in the "body" of the service exception. But I'll check that. I also just found a WMS vulnerability, in Geoserver 2.2.4. Just to be sure: the best would be if all Service Exceptions (in fact: all exception reports that report back the input) would always encode any input parameter before writing the exception, that would fix a lot of issues. I'm happy to help (will try something soon ) and provide more test requests. Not sure if sending these on the mailinglist is such a good idea :) (from a security point of view). So let me know. Thanks in advance! Thijs On 13-03-13 04:15, Gabriel Roldan wrote: > Hello, > > re GEOS-4210, this is the commit I meant in the comment > <https://github.com/GeoWebCache/geowebcache/commit/f4b3d357533b8ba1f05965fc57098bb5250b067b> > > Looks like I was too lazy at the moment as to chase it down but its > easier with git now. > > The way I understand it is that an exception will be thrown when > attempting to parse the SRS parameter which ultimately will be handled > by that writeError method in GeoWebcacheDispatcher. If you can confirm > that's not what's going on and the XSS vulnerability exists while > calling a gwc service I'll be glad to look deeper into it. > > Cheers, > Gabriel > > On Mon, Mar 11, 2013 at 2:13 PM, Thijs Brentjens > <[email protected]> wrote: >> re 1): >> There is/was some discussion on XSS already, I noticed: >> http://jira.codehaus.org/browse/GEOS-5318 --> still open >> http://jira.codehaus.org/browse/GEOS-4210 --> says for GWC a fix has >> been done a while ago. >> From another source: >> http://itsecuritysolutions.org/2012-04-13-ActiveX,-Remote-DoS-and-XSS/, >> also lists some XSS vulnerabilities for GS 2.1.4 >> >> Summary: in 2.1.x XSS can be used by exploiting the Service Exceptions >> for WMS and WFS. This is confirmed in our test. In 2.2.x this seems to >> be fixed already for WMS and WFS. However 2.2.x versions still are >> vulnerable. For example: WMTS by GWC is vulnerable, >> http://localhost:8080/geoserver/gwc/service/wmts?request=<a >> xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload="alert('xss')"/></a>. >> >> Before I get my hands dirty myself: has someone a solution available >> maybe (I can't see any activity now, but you never know) or knows of >> something? Or can someone point me to where the fixes between 2.1 and >> 2.2 have been done to avoid XSS? Maybe I could use that for my client >> (and in the end others) and use it to fix some other XSS issues as well. >> If not, I'll dive into the code :). > > > ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
