Comment 2 for bug 398814

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote : Re: [Bug 398814] [NEW] security: anyone can make mapserv read or write arbitrary files

2009-07-13 14:27:30 -0000, Stephane Chazelas:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> Binary package hint: cgi-mapserver

A few additional comments inline:

> /usr/lib/cgi-bin/mapserv takes as CGI parameter a map argument which is
> the path to any file with a .map extension on the server file system.

Due to another bug (probably wrong flags passed to the regexp
matching function), it doesn't have to be .map file. If one does
a:

ln -s / $'/tmp/.map\n'

on the server, then one can have mapserv read any file:

http://localhost/cgi-bin/mapserv?map=/tmp/.map%0A/etc/passwd

gives:

msLoadMap(): Unknown identifier. Parsing error near (root):(line
1)

Of course, if ones has the right to create files on the server,
he can probably do much worse with a real map file.

[...]
> Worse, one can cause mapserv to write data anywhere through the map_web
> CGI parameter, littering the server's file system, that space is never
> reclaimed AFAICS.

"anywhere" above would be "any directory the user running apache
has write access to", so temp or other spool/cache areas, but
also directories owned or writable by www-data as in poorly
designed web sites or web sites that have web services with an
"on-line" upgrade facility.

> It can cause DOS by filling up system file systems that way.

One with an account on the server can probably also get www-data
to overwrite any file it has write access to with a symlink by
the name of one of those png files mapserv creates.

> Looking at the code (mapserver-5.0.3 ubuntu source package), there's
> plenty of scope for buffer overflows, and I could easily get a crash
> with a large map CGI argument (adding a large /././././... somewhere in
> the path for instance). I suppose there's potential for running
> arbitrary code there as well.

I looks like new versions of mapserv has solved some of those
problem, but not the core one:

> Those shouldn't be CGI parameters, those paths should be defined by the
> system administrator, not the user! For instance through a
> /etc/mapserv/maps.d or something like that.

That is the ability of the client to specify those parameters.

> A work around for now, would be to use apparmor or selinux to only allow
> mapserv to open predefined map files, but that would not solve the
> buffer overflow problems. Or maybe a wrapper that checks the
> QUERY_STRING and POST data before passing it along to mapserv.

A chroot jail could also be a solution.

See also http://trac.osgeo.org/mapserver/ticket/1836

regards,
Stephane