Remote Code Execution with XStream

Description

Hello GeoServer Team,

I'd like to report to you a remote code execution vulnerability.
I found it during a penetration test for a customer this week.

The the attached requests executes" /usr/bin/xterm" on the target

The problem is that your REST implementation is using Xstream that is configured in an insecure way.

Please let me know if you have any questions.

Thank you,
Matthias

Environment

None

Activity

Show:
Jody Garnett
September 26, 2015, 6:38 PM

I got another report from a developer in Victoria, I will hunt down the
details on Monday with Kevin.

Have we had any reports of xstream / wps failure coming out of the release
candidate? Or just the GWC one Kevin found earlier.


Jody Garnett

On 26 September 2015 at 08:13, Andrea Aime <andrea.aime@geo-solutions.it>

------------------------------------------------------------------------------

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Daniele Romagnoli
September 28, 2015, 7:26 AM

I have found these 2 in the past month:
https://osgeo-org.atlassian.net/browse/GEOS-7175
https://osgeo-org.atlassian.net/browse/GEOS-7146

Cheers,
Daniele

On Sat, Sep 26, 2015 at 8:47 PM, Andrea Aime <andrea.aime@geo-solutions.it>


==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==

Ing. Daniele Romagnoli
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

------------------------------------------------------------------------------

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Torben Barsballe
September 28, 2015, 7:08 PM

Update on the WPS 'issue' - it was ultimately a false alarm, caused by a few different factors - turns out I have been using the wrong method of debugging GeoServer extensions for the past year or so, and it finally caused problems.

Created GEOS-7221.

Torben Barsballe
September 28, 2015, 7:27 PM

The recent comments on do not represent a blocker, the WPS issues
all seem to have been caused by poor documentation.
Created https://osgeo-org.atlassian.net/browse/GEOS-7221 (documentation
issue, non-critical).

Tested WPS in eclipse and with 2.8-RC1; no issues.

Torben

On Mon, Sep 28, 2015 at 12:25 AM, Daniele Romagnoli <

------------------------------------------------------------------------------

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Andrea Aime
February 15, 2017, 11:48 AM

Mass closing all resolved issues not modified in the last 4 weeks

Fixed

Assignee

Unassigned

Reporter

Matthias Kaiser

Triage

None

Fix versions

Affects versions

Components

Priority

Highest
Configure