Multiple Remote Security Vulnerabilities in mapserver mapserv-http://www.china-antivirus.com/Html/xitongloudong/8720479929.html

Affected Systems:
University of Minnesota mapserver 5.2.1
University of Minnesota mapserver 4.10.3
Unaffected system:
University of Minnesota mapserver 5.2.2
University of Minnesota mapserver 4.10.4
Description:
--------------------------------------------------------------------------------
BugTraq ID: 34306
CVE (CAN) ID: CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0843, CVE-2009-0842, CVE-2009-1176

Mapserver is a multi-platform program used to create an interactive map application.

Mapserver has multiple security vulnerabilities, which may allow remote attackers to leak sensitive information, bypass security restrictions, cause denial of service, or intrude into vulnerable systems.

1) If a remote attacker uploads a malicious map file to the server or sends a specially crafted request containing a string of more than 128 bytes through the ID parameter, stack overflow can be triggered in the mapserv CGI program, this causes arbitrary code execution. The following code snippet contains a vulnerability in mapserv. C:

406: strncpy (mapserv-> ID, mapserv-> request-> paramvalues [I], idsize );

1112: int main (INT argc, char * argv []) {
1114: Char buffer [1024], * value = NULL;

1783: sprintf (buffer, "% S % s", mapserv-> map-> Web. ImagePath ,\
Mapserv-> map-> name, mapserv-> ID, ms_query_extension );

1826 :}

2) The mapserv CGI program has an index error when processing the Content-Length header. Remote attackers can trigger Heap Overflow by submitting a specially crafted POST request, resulting in out-of-bounds array access. Successful attacks require that the Web server not filter the Content-Length header.

3) because the ID parameter transmitted to the mapserv CGI program is not filtered out, remote attackers can write files to any location through directory traversal attacks. The following is a code segment with vulnerabilities:

[Mapserv. C]
1783: sprintf (buffer, "% S % s", mapserv-> map-> Web. ImagePath ,\
Mapserv-> map-> name, mapserv-> ID, ms_query_extension );
1784: If (status = mssavequery (mapserv-> map, buffer ))! = Ms_success )\
Return status;

[Mapquery. C]
89: stream = fopen (filename, "WB ");
90: If (! Stream ){
91: [...]
92: Return (ms_failure );
93 :}

4) if the attacker specifies the complete path through the map parameter in the. map file, the mapserv CGI program will leak sensitive information in the file when processing the file.

5) The mapserv CGI program will return different error messages for files in the system. Remote attackers can use queryfile request parameters to determine whether a specific file exists.

6) A special map file can trigger stack overflow in the msgenerateimages () function of maptemplate. C.

<* Source: Joe TESTA (joetesta@hushmail.com)

Link: http://secunia.com/advisories/26561
Http://marc.info /? L = BugTraq & M = 123843735416096 & W = 2
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http: // site/cgi-bin/mapserv? Map =/tmp/BOF. Map & mode = query & queryfile =/tmp/queryfile. QF & savequery = 1 & id = hhhhiiiijjjjkkkk
Http: // site/cgi-bin/mapserv? Map = {mapfile} & mode = query & queryfile = {queryfile} & savequery = 1 & id =/http://www.cnblogs.com/../tmp/oops>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

University of Minnesota
-----------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz
Http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz

Source: www.china-antivirus.com

Clicks: 10

Article URL: http://www.china-antivirus.com/Html/xitongloudong/8720479929.html