Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Cross Site Scripting (XSS) issue in demo service #322

Closed
olt opened this issue Aug 14, 2017 · 2 comments
Closed

Fix Cross Site Scripting (XSS) issue in demo service #322

olt opened this issue Aug 14, 2017 · 2 comments

Comments

@olt
Copy link
Member

olt commented Aug 14, 2017

The format and srs parameter in the WMS/WMTS/TMS demo pages are not escaped.

A targeted, non-persistent Cross Site Scripting attack (XSS) could be used for information disclosure. For example: Session cookies of a third party application running on the same domain.
This is not a disclosure of any information on the server (like files, etc.). Refer to https://en.wikipedia.org/wiki/Cross-site_scripting

Users are advised to disable the demo service or to update MapProxy with the upcoming patch, if they are unsure whether this is a risk in their specific installation.

@olt olt changed the title Update demo service Fix Cross Site Scripting (XSS) issue in demo service Aug 17, 2017
@olt
Copy link
Member Author

olt commented Aug 17, 2017

Fixed with 2e10284 in master and 87faa66 in 1.10.x branch. MapProxy 1.10.4 release with fix is out.

@olt olt closed this as completed Aug 17, 2017
bob-beck pushed a commit to openbsd/ports that referenced this issue Aug 28, 2017
- Fix Cross Site Scripting (XSS) issue in demo service
  (mapproxy/mapproxy#322).
@olt
Copy link
Member Author

olt commented Aug 6, 2019

Janek Vind found out that this fix was incomplete. There is an updated fix with 420412a in master and 436c8f4 in 1.11.x branch. MapProxy 1.11.1 release is out with a fix.

sebastic added a commit to sebastic/mapproxy that referenced this issue Jun 15, 2022
Fixes XSS issue in demo service, see:
mapproxy#322
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant