MapServer < 5.2.2 / 4.10.4 Multiple Flaws

high Nessus Plugin ID 36074

Synopsis

The remote web server contains a CGI script that is affected by multiple flaws.

Description

The remote host is running MapServer, an open source Internet map server. The installed version of MapServer is affected by multiple flaws :

- By creating a map file with overly long IMAGEPATH and/or NAME attribute(s), it may be possible to trigger a stack-based buffer overflow. (CVE-2009-0839)

- It may be possible to trigger a heap-based buffer overflow by sending a HTTP POST request with 'CONTENT_LENGTH' attribute set to '-1'. (CVE-2009-0840) Note: According to some reports this issue might have been incorrectly fixed, see references for more info.

- It may be possible to create arbitrary files by specifying file names to the 'id' parameter.
(CVE-2009-0841)

- Provided an attacker has privileges to create symlinks on the file system, it may be possible to partially read the contents of arbitrary files. (CVE-2009-0842)

- Provided an attacker has knowledge of a valid map file, it may be possible to determine if an arbitrary file exists on the remote system. (CVE-2009-0843)

- Sufficient boundary checks are not performed on 'id' parameter in mapserver.c. An attacker may exploit this issue to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (CVE-2009-1176)

- File maptemplate.c is affected by multiple stack-based overflow issues. (CVE-2009-1177)

Solution

Upgrade to MapServer 5.2.2/4.10.4.

See Also

https://www.positronsecurity.com/advisories/2009-000.html

http://permalink.gmane.org/gmane.comp.security.oss.general/1861

https://seclists.org/fulldisclosure/2009/Mar/442

https://lists.osgeo.org/pipermail/mapserver-users/2009-March/060600.html

Plugin Details

Severity: High

ID: 36074

File Name: mapserver_5_2_2.nasl

Version: 1.17

Type: remote

Family: CGI abuses

Published: 4/2/2009

Updated: 6/1/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/mapserver, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0842, CVE-2009-0843, CVE-2009-1176, CVE-2009-1177

BID: 34306

CWE: 119, 20, 200, 22

Secunia: 34520