MapServer Buffer Overflow and Multiple Cross Site Scripting Vulnerabilities

2007.09.01

Credit: vendor

Risk: High

Local: Yes

Remote: Yes

CVE: CVE-2007-4629

CWE: CWE-79

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

There is a small possibility of buffer overflow in processLine() (maptemplate.c). To trigger it you'd need a mapfile with a layer name, group name or metadata entry name longer than 5120 chars which is probably larger than what the parser would accept, but we'll fix it just in case.
------------------
Version 4.10.3 (2007-08-22)
* Fixed XSS vulnerabilities (#2256)
* Fixed possible buffer overflow in template processing (#2252)
* Rename libmap.a to libmapserver.a for commonality with libmapserver.so (#2150)
* Fixed size of output buffer in msGetEncodedString() (#2132)
* SOS : backport fixes related to large xml outputs (#1938, #2146)
* WCS : Fixed resampling/reprojecting for tileindex datasets (#2180)
-----------------

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MapServer Buffer Overflow and Multiple Cross Site Scripting Vulnerabilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.