MapServer SQL Injections with postgis TIME filters

2014.01.06
Credit: tbonfort
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-7262
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

As part of @rouault 's WFS 2.0 work he discovered a SQL injection issue specific to WMS-Time and perhaps SOS services. It has to do with PostGIS and time validation. Based on Even's tests for WMS-Time the vulnerability is limited to unintended disclosure of data from the specific table, if specific conditions are met: WMS-Time is configured PostGIS is used GetFeatureInfo output formats dump all attributes (e.g. gmlitems all) Basically you can muck with the where clause but can’t execute secondary commands (e.g. delete …). It may be possible to access unintended data through the map itself (e.g. via a label item) but that seems pretty hard. Again, SOS services have not been examined.

References:

https://github.com/mapserver/mapserver/issues/4834
https://github.com/mapserver/mapserver/commit/3a10f6b829297dae63492a8c63385044bc6953ed
http://www.mapserver.org/development/changelog/changelog-6-4.html#changelog-6-4-1


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top