Dear GeoServer developers,
We are using GeoServer WFS to serve Vector Data that are stored in Oracle
Database in backend.
The WFS request directly returned errors that produced by Oracl DB to final
users.
For example, when we submitted below WFS request to any GeoServer instance:
http://geoserver.domain.name/GeoServer/wfs?service=WFS&version=1.0.0&request=GetFeature&outputFormat=json&srsName=EPSG:4326&typeName=YOUR_LAYERNAME&cql_filter=1='string
'
The GeoServer returned below errors to final users if backend database is
Oracle (I did not have a chance to test PostGIS as backend database):
java.lang.RuntimeException: java.io.IOException java.io.IOException null
ORA-01722: invalid number
This error directly discloses backend database information to final users.
Our security guys think that this is a secure vulnerability and we need fix
it.
Considering that this error is directly returned by GeoServer.
I am seeking any comments/suggestion/advises from users and developers from
GeoServer community to see if there is any way that we can fix this issue.
Also, I have few questions as below:
1. Is there a core GeoServer development team that we can contact to
provide more details about this vulnerability for further
discussion/solutions? We don't want to send our vulnerability scan report
to the whole GeoServer community.
2. Did GeoServer development team verify and agree with this vulnerability?
If yes, do you have any solutions and/or any plans to fix it in the near
future? If you verified, but thought this vulnerability is not critical,
can you please provide some details to explain why this vulnerability is
not critical?
3. I read following comments from GeoServer Community, did you agree with
it? Does GeoServer team take it as an explaination to CQL vulnerability?
~~~~~~~~~~~~~~~~~~~
"In GeoServer's implementation, each filter expression is fully parsed into
an abstract syntax tree and then partially or fully converted to native
queries in a database-specific manner - PostGIS can take advantage of
SQL syntax
and functions unique to that database, while Shapefiles use a fallback that
fully interprets filters in GeoServer/GeoTools code. As such, it's not
susceptible to traditional SQL injection attacks since the user input is
never directly sent to the underlying database.
I guess it might be possible in theory to perform an injection attack by
some clever escaping - using "' -- DELETE TABLE important_data;" as a
property name. But GeoServer validates that filters reference only
properties that are actually present, so this would not be feasible through
WFS. And CQL does not support comments, further complicating any potential
injection attacks.
Furthermore,Geoserver jdbc by default uses prepared statements
where possible for both performance and security. Prepared statements are
a strong protection against SQL injection because the injected value is not
evaluated as SQL code."
~~~~~~~~~~~~~~~~~~~~
Thanks,
Aijun,
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
