New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Cross Site Scripting (XSS) issue in demo service #322

Closed
olt opened this Issue Aug 14, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@olt
Member

olt commented Aug 14, 2017

The format and srs parameter in the WMS/WMTS/TMS demo pages are not escaped.

A targeted, non-persistent Cross Site Scripting attack (XSS) could be used for information disclosure. For example: Session cookies of a third party application running on the same domain.
This is not a disclosure of any information on the server (like files, etc.). Refer to https://en.wikipedia.org/wiki/Cross-site_scripting

Users are advised to disable the demo service or to update MapProxy with the upcoming patch, if they are unsure whether this is a risk in their specific installation.

@olt olt changed the title from Update demo service to Fix Cross Site Scripting (XSS) issue in demo service Aug 17, 2017

@olt

This comment has been minimized.

Show comment
Hide comment
@olt

olt Aug 17, 2017

Member

Fixed with 2e10284 in master and 87faa66 in 1.10.x branch. MapProxy 1.10.4 release with fix is out.

Member

olt commented Aug 17, 2017

Fixed with 2e10284 in master and 87faa66 in 1.10.x branch. MapProxy 1.10.4 release with fix is out.

@olt olt closed this Aug 17, 2017

bob-beck pushed a commit to openbsd/ports that referenced this issue Aug 28, 2017

Update to mapproxy 1.10.4.
- Fix Cross Site Scripting (XSS) issue in demo service
  (mapproxy/mapproxy#322).

hakrdinesh pushed a commit to hakrtech/openbsd-ports0-test that referenced this issue Jan 16, 2018

Update to mapproxy 1.10.4.
- Fix Cross Site Scripting (XSS) issue in demo service
  (mapproxy/mapproxy#322).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment