cross-site scripting vulnerability in layer preview pages

Description

The application/openlayers WMS output format allows for script injection in the rendered page. It looks like the endpoint takes any user provided query string parameters and includes them as WMS layer parameters (all uppercased) and as GetFeatureInfo parameters (unaltered).

Here's an example:
http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-122.911,42.289,-122.777,42.398&width=512&height=416&srs=EPSG:4326&format=application/openlayers&%3C%2Fscript%3E%3Cscript%3Ealert%28%27x-scripted%27%29%3C%2Fscript%3E%3Cscript%3E=foo - http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-122.911,42.289,-122.777,42.398&width=512&height=416&srs=EPSG:4326&format=application/openlayers&%3C%2Fscript%3E%3Cscript%3Ealert%28%27x-scripted%27%29%3C%2Fscript%3E%3Cscript%3E=foo

Some browsers (recent WebKit) will not execute scripts found to have the same text as query string parameters/values, but other browsers will execute these scripts.

This would allow Evil Hacker to to pass a link to GeoServer User and have a script running on GeoServer User's page that could send information back to Evil Hacker without GeoServer's knowledge.

To avoid this vulnerability, all user provided query string parameters and values should be sanitized/html-escaped before including them in page content.

Environment

None

Status

Assignee

Unassigned

Reporter

codehaus

Triage

None

Fix versions

Affects versions

2.2-RC3

Components

Priority

Medium
Configure