Hi Andrea,
"The other three have to do with the UI, the common practice is to not expose
the user interface to the web, using a proxy and only allowing service paths
(geoserver/ows, geoserver/wms, geoserver/wfs for example) to be called from
outside, while allowing only access to the UI from specific IPs."
I have to respectfully but strongly disagree here. I'd certainly say that's
*good* practice, but it's *not* common practice.
To confirm my hypothesis, I just scraped about 650 different /geoserver/web
pages scattered across the internet and I received over five hundred (500)
responses that had a 200 response code. So I'd suggest that anything that
effects the user interface should certainly be considered a security bug and
treated accordingly.
Alas, relying on users/admins to do things properly is always a recipe for
disaster when it comes to security.
Cheers,
Jonathan
---- On Sat, 25 Mar 2017 15:35:23 +0000 Andrea Aime
<[email protected]> wrote ----
First off, GeoServer has a "responsible disclosure" policy that your mail
violates in a most severe
way:https://osgeo-org.atlassian.net/projects/GEOS/summary
About the issues:
Session fixation has been solved in 2.9.3, you'll have to upgrade, see
https://osgeo-org.atlassian.net/browse/GEOS-7849
The improper error handling can likely be addressed by un-checking "verbose
exception reporting" in the global sessions page, see also
http://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#verbose-exception-reporting
The other three have to do with the UI, the common practice is to not expose
the user interface to the web, using a proxy and only allowing service paths
(geoserver/ows, geoserver/wms, geoserver/wfs for example) to be called from
outside, while allowing only access to the UI from specific IPs.
Regards
Andrea
On Sat, Mar 25, 2017 at 12:29 PM, Sharath Shetty
<[email protected]> wrote:
Dear all,
We are hosted Geoserver (2.9.0 version) application in our office to accomplish
the GIS activities.Before to hosted this software in our data center this
software should be audit for vulnerabilities.
The security assessment of application found some of the vulnerabilities.Hereby
I attached some of the vulnerabilities details for your reference.
Kindly look into the attachment and kindly instruct us to fixing the
vulnerabilities.
Details of software used:-
Geoserver-Version 2.9.0
Java version:- JDK1.8.0_121
Apache Tomcat:-apache-tomcat-8.0.41
Web Services created:- WMS and WFS
vulnerability details are attached with description and impact of that
vulnerability and also the solution to resolve.So it is request to instruct to
resolve issue
--
Thanks & Regards,
Sharath Shetty
M: 7259590267
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo
è consentito esclusivamente al destinatario del messaggio, per le finalità
indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne
il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di
procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro
sistema. Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse,
costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the
attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act (Legislative
Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in
accord with its purpose, any disclosure, reproduction, copying, distribution,
or either dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the intended
recipient, please contact immediately the sender by telephone, fax or e-mail
and delete the information in this message that has been received in error. The
sender does not give any warranty or accept liability as the content, accuracy
or completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.
-------------------------------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
