An input validation flaw was found in the way mapserver's mapserv CGI form results decoding script used to handle certain fields of the provided CGI query string. A remote attacker could use this flaw to write (potentially malicious) data to certain file system places with the privileges of the web server user or escalate his privileges by providing a specially-crafted map file. References: ----------- http://trac.osgeo.org/mapserver/ticket/1836 https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/398814 From the mapserver/ticket/1836: ------------------------------- "07/22/09 23:42:40 changed by sdlime Back ported to 5.0 and 5.2 branches for completeness... Steve" Proof of Concept: ----------------- firefox http://biometry.gis.umn.edu/cgi-bin/mapserv.exe?map=/boot/grub/device.map -> msLoadMap(): Unknown identifier. Parsing error near (hd0):(line 1) Tested mapserver version: ------------------------- mapserver-5.2.1-6.fc11 Further information: --------------------- In case this issue was already addressed within https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0842 feel free to close this Bugzilla record.
mapserver has been updated to >= 5.4, which according to upstream doesn't have this problem.