You can see the content of the server by sending the right request to GeoServer

Description

If you send the request:

Request sample removed

To your server wich runs on Linux, you will receive the contents of the /etc/passwd file. The same way you can get directory listings and see contents of other files.

This is not what you want. It is possible to create filters in the webserver so these exploits are don't work anymore (filter on file://). But are there other ways to prevent these kind of exploits?

Below is the GeoServer logging information:

2015-05-18 14:25:06,609 INFO [geoserver.wfs] -
Request: getServiceInfo
2015-05-18 14:25:06,614 ERROR [geoserver.ows] -
org.geoserver.wfs.WFSException: Illegal property name: <contents of the file /etc/passwd>
at org.geoserver.wfs.GetFeature$1.visit(GetFeature.java:1133)
at org.geotools.filter.AttributeExpressionImpl.accept(AttributeExpressionImpl.java:381)
at org.geotools.filter.visitor.AbstractFilterVisitor.visit(AbstractFilterVisitor.java:219)
at org.geotools.filter.visitor.AbstractFilterVisitor.visit(AbstractFilterVisitor.java:234)
at org.geotools.filter.IsEqualsToImpl.accept(IsEqualsToImpl.java:162)
at org.geoserver.wfs.GetFeature.validateFilter(GetFeature.java:1141)
at org.geoserver.wfs.GetFeature.run(GetFeature.java:447)
at org.geoserver.wfs.DefaultWebFeatureService.getFeature(DefaultWebFeatureService.java:121)
at sun.reflect.GeneratedMethodAccessor330.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:319)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.geoserver.ows.util.RequestObjectLogger.invoke(RequestObjectLogger.java:54)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy59.getFeature(Unknown Source)
at sun.reflect.GeneratedMethodAccessor329.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.geoserver.ows.Dispatcher.execute(Dispatcher.java:774)
at org.geoserver.ows.Dispatcher.handleRequestInternal(Dispatcher.java:272)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:27)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:74)
at org.geoserver.wms.animate.AnimatorFilter.doFilter(AnimatorFilter.java:70)
at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:70)
at org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:45)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:53)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at org.geoserver.security.filter.GeoServerBasicAuthenticationFilter.doFilter(GeoServerBasicAuthenticationFilter.java:82)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:134)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:75)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:43)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.vfny.geoserver.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:745)

Environment

Linux CentOS
Tomcat6

Activity

Show:
Jukka Rahkonen
June 23, 2015, 8:07 AM

Hi,

Speaking with a voice of an organization using GeoServer, I consider that the case has been handled well enough and the response time to fix the issue was not bad at all.
If I compare with other software, some of those deliver HotFixes like this http://www.esri.com/software/arcgis/extensions/districting/download-hotfix-build118 or this http://www.exelisvis.com/Support/HelpArticlesDetail/TabId/219/ArtMID/900/ArticleID/13541/ENVI-5-SP3-Hotfix-for-Landsat-8-OLI.aspx

Examples also show how those companies announce their hotfixes. For me it looks kind of similar to what GeoServer had in the 2.6.4 release announcement.
However, the release cycle of those software can be one or two years which makes hotfixes more or less necessary. Hotfixes three weeks before new release are rare.

This vulnerability was for sure more severe than usual, actually I do not remember any similar case. in this case it might have been better to announce nightly builds as a hotfix while waiting for the new releases. Perhaps that could be the plan for the future.

Jukka Rahkonen

Lähettäjä: Andrea Aime andrea.aime@geo-solutions.it
Lähetetty: 23. kesäkuuta 2015 10:02
Vastaanottaja: Johannes Kröger
Kopio: Geoserver-devel
Aihe: Re: [Geoserver-devel] Handling of GEOS-7032: Remote File Disclosure

On Mon, Jun 22, 2015 at 11:07 PM, Johannes Kröger <johannes.kroeger@hcu-hamburg.de<johannes.kroeger@hcu-hamburg.de>> wrote:
Hi!

Earlier I posted things on Twitter and IRC that others seem to have
taken as more or less personal attacks or at least abrasive ranting.

The amount of noise you've been making for this one on twitter, even after
the OSGeo president (no less) asked you to use a more constructive
attitude would make many think you've simply trying to discredit the project.
We haven't seen that kind of attitude in years.

Mind, I'm not saying we haven't made mistakes, but ask yourself, with thousands of users
subscribed to the users mailing list, hundreds subscribed to the devel
list, and with so many with a twitter account, how
comes we don't have tens of people raising hell?
Many may not have noticed, but I guess those that did, do understand
the volunteer nature of the project.

I am sorry about that, please do not take my criticism personal.

Nobody took it as personal criticism, people are just defending the project
and the community.

It is
easy to forget that there are people behind "words on the internet".
However I was and still am shocked at the handling of a critical
security issue in GeoServer and the neglect to protect the users.

I guess you have the wrong impression about the community around here.
We are not Linux, nor Apache, we don't have a large and well funded organization
that would allow to get people dedicated to these issues, we simply
tried to manage it the best we can with the limited resources at hand.
I put time to fix the issue, my company sponsored the time to do the backports
from dev to stable and maintenance, Boundless people reviewed promptly,
Ben did the 2.6.4 release, someone else will put the time to do the 2.7.2 release

Not saying the above cannot be improved btw, we can certainly use some help there.

Any attempt at improving the current situation in a more
predictable, better managed, with faster response times (which I agree would be desirable)
will have to answer one simple question: "with what resources?".

As Jody said, people have the option of downloading a nightly build, especially on the
stable series, the releases are really nothing more than a procedure to
tag the nightly of the right day in the month (the 18th), unless of course
the tests in the build or the nightly OGC conformance tests failed
(which is a rare occurrence).
Yet, the release procedure still eat around 4 hours of someone's time (someone
with admin rights in all the key areas), and the people routinely doing releases are
a handful, all busy up to their eyeballs with their daily work already.
(check the release schedule, it has the release managers for each release:
https://github.com/geoserver/geoserver/wiki/Release-Schedule)

Next time you see something wrong in the project we'll be happy to hear
about it, and if you actually understood what Jeff McKenna tried to explain you,
you'll hopefully start your sentences with "I'm concerned with XYZ, how can I help?".

If instead you're starting writing something like "I'm shocked" take a deep breath,
think about it, and reword.... incidentally, that's what I usually do when I'm writing about something that
bothers me: the mail gets often rewritten 2-3 times, progressively toning it down (
and people still do complain I'm too direct after all that work )

You're also welcomed to join tonight's Skype meeting, where the issue will be discussed
and people will bring to the table whatever their can offer to improve the management of
this kind of issues, now and in the future.
The meeting will be 9.30pm CET, send me, Jody or Ben your skype id in case you
want to join.

Cheers
Andrea


==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

-------------------------------------------------------

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

Robert Coup
June 23, 2015, 8:33 AM

Hi Ben/Jody,

The best guide I've come across is this:
https://github.com/RedHatProductSecurity/CVE-HOWTO

This issue has been public (on the bug tracker & mailing list, even before
today's visibility), so the oss-security approach is best. More details on
that are here: http://oss-security.openwall.org/wiki/disclosure/cve

Essentially, send an email to the list with some very broad-strokes
details, and you get a CVE number allocated.

HTH,

Rob

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ben Caradoc-Davies
June 23, 2015, 8:15 PM

All GeoServer releases except 2.6.4 have a remote file disclosure
vulnerability that permits an unauthenticated remote attacker to use a
malicious request view any file on the server visible to GeoServer,
including files outside the data directory.

This vulnerability is fixed in 2.6.4 and in all nightlies including
those for stable (2.7.x) and master.

All future GeoServer releases will contain a fix for this vulnerability.

See:

https://osgeo-org.atlassian.net/browse/GEOS-7032
http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html

Kind regards,
Ben.

-------- Forwarded Message --------
Subject: [Geoserver-users] GeoServer 2.6.4 Released
Date: Fri, 19 Jun 2015 08:40:59 +1200
From: Ben Caradoc-Davies <ben@transient.nz>
To: geoserver-users@lists.sourceforge.net

http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/
[...]
The GeoServer team is pleased to announce the release of GeoServer 2.6.4
[...]
GeoServer 2.6.4 is a maintenance release of GeoServer recommended for
production deployment. This release contains IMPORTANT SECURITY FIXES
so please upgrade.
[...]


Ben Caradoc-Davies <ben@transient.nz>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

Jody Garnett
June 27, 2015, 2:06 AM

Thanks Ben and Andrea for handling this in a clear manner.

We now have three releases available with the fix:

The website will be updated shortly, for now please consider the above
links.


Jody Garnett

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Andrea Aime
February 15, 2017, 11:48 AM

Mass closing all resolved issues not modified in the last 4 weeks

Fixed

Assignee

Andrea Aime

Reporter

Luuk Schaminee

Triage

None

Fix versions

Affects versions

Components

Priority

Highest
Configure