Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Security Vulnerabilities - Possible SQL Injection using OGC filter encoding #3903

Closed
mapserver-bot opened this Issue Apr 4, 2012 · 11 comments

Comments

Projects
None yet
2 participants

Reporter: assefa
Date: 2011/06/01 - 18:07
Trac URL: http://trac.osgeo.org/mapserver/ticket/3903
This ticket is to track fixes to prevent SQL injections through OGC filter encoding (in WMS, WFS and SOS), as well as a potential SQL injection in WMS time support.

Your system may be vulnerable if it has MapServer with OGC protocols enabled, with layers connecting to an SQL RDBMS backend, either natively or via OGR.

All versions of MapServer 4.x, 5.x and 6.x are potentially vulnerable. All users are ** strongly encouraged ** to upgrade to one of the latest releases with the fixes.

Author: assefa
Date: 2011/07/12 - 15:25
commits:
trunk is 990986a (r11898)
6.0 branch is d4c9f88 (r11890)
5.6 branch is d3ab6cc (r11891)
5.4 branch is bf302b8 (r11892)
5.2 branch is 47da4cc (r11893)
5.0 branch is 77aadb0 (r11894)
4.10 branch is 8efadc3 (r11897)

Author: dmorissette
Date: 2011/07/12 - 15:40
Note: the revisions above also contain fixes for potentially exploitable buffer overflows in OGC Filter Encoding support.

Versions 4.10 to 5.6 were potentially vulnerable and have been fixed. 6.0.0 already contained fixes for those problems.

Author: dmorissette
Date: 2011/07/12 - 20:31
Committed 9d4a7e2 (r11910) in SVN branch-6-0 (v6.0.1) and e40b478 (r11913) in SVN trunk to add missing #ifdef USE_POSTGIS in msPostGISEscapeSQLParam() to allow building without postgis support.

Author: assefa
Date: 2011/07/12 - 22:53
missed postgis function in patches 5.6 (1c63d3f (r11914)), 5.4 (edd362e (r11916)), 5.2 (1192c4d (r11921)), 5.0 (b3c3361 (r11922)), 4.10 (efd3989 (r11915))

Author: dmorissette
Date: 2011/07/13 - 16:38
Fixes released in MapServer 6.0.1, 5.6.7 and 4.10.7:

http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html

@tbonfort tbonfort pushed a commit to tbonfort/mapserver that referenced this issue Apr 4, 2012

@dmorissette dmorissette Fix typo and missing #3903 entry
git-svn-id: http://svn.osgeo.org/mapserver/branches/branch-5-0@11938 7532c77e-422f-0410-93f4-f0b67bdd69e2
6b67f02

@ghost ghost assigned assefay Apr 5, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment