Disable insecure mapserv CGI command-line debug args #3485

Closed
mapserver-bot opened this Issue Apr 3, 2012 · 3 comments

Comments

Projects
None yet
2 participants

Reporter: dmorissette
Date: 2010/07/08 - 22:01
Trac URL: http://trac.osgeo.org/mapserver/ticket/3485
As part of a security audit of MapServer 5.6 it was found that some of the mapserv CGI command-line debug arguments constitute a security risk that could potentially be exploited.

I will not disclose any of the details here, but we should take actions to avoid command-line args in CGI programs.

This will not affect functionality for regular mapserv CGI users... only for developers that used those command-line args to debug and test the software.

Author: dmorissette
Date: 2010/07/08 - 22:51
To create the smallest possible amount of disruption in point releases, for 5.6.4 we will simply disable all mapserv command-line debug args by default, except for "-v" which is useful to get mapserv version on an installed system, as well as "-nh" and "QUERY_STRING=..." which carry little risk and/or are used by msautotests and in some docs.

We should revisit this in MapServer 6.0 and possibly find a better mechanism to handle these debugging hooks that do not involve command-line args.

The disabled code will be enclosed inside #ifdef MS_ENABLE_CGI_CL_DEBUG_ARGS. This means that -DMS_ENABLE_CGI_CL_DEBUG_ARGS must be explicitly set at compile time to re-enable those debug args (by devs who know what they are doing and understand the security implications). A --enable-cgi-cl-debug-args option will also be added to the configure script to facilitate setting this flag. Once again, this flag enables some potentially insecure command-line args and should not be enabled on production servers or by people who do not understand the security implications.

Fix for this committed in SVN branch-5-6 4f87620 (r10306) (will be in 5.6.4)

I will also backport the fix to older releases.

Author: dmorissette
Date: 2010/07/08 - 23:22
Backported fix to SVN branch-5-4 (0743231 (r10314)), branch-5-2 (b4a3372 (r10315)), branch-5-0 (b5eae87 (r10316)) and branch-4-10 (0b19156 (r10317)).

Also created ticket #3486 about defining a better debugging/testing mechanism for developers to use at the command line in MapServer 6.0

Closing.

Author: dmorissette
Date: 2010/07/08 - 23:30
Applied fix to SVN trunk 798d778 (r10319)

dmorissette was assigned Apr 5, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment