12 March 2008, 09:09

Several vulnerabilities in Mapbender map software

The Mapbender map application contains several vulnerabilities that can be exploited to examine the database contents and manipulate them or to take control of the server. The software is a geodata collection server using a web service interface to the Open Geospatial Consortium (OGC) standard. Inadequate filtering of user parameters in the mapFiler.php script makes it possible to write arbitrary PHP scripts in a file on the server and execute them.

Security services provider RedTeam Pentesting describes a demo exploit in its vulnerability report. RedTeam also found SQL injection holes in several Mapbender scripts which allow user names and the corresponding password hashes to be read. The errors occur in version 2.4.4. Previous versions are also likely to contain them. Updating to version 2.4.5 RC1 (ZIP file) should remedy the problem, although the changelog that accompanies the update makes no reference to any possible security problems.

Channels

Services

Several vulnerabilities in Mapbender map software

Also on The H:

Content Security Policy halts XSS in its tracks

Skype's ominous link checking: Facts and speculation

Password protection for everyone

Two clicks for more privacy

What's new in SUSE Linux Enterprise 11 SP3

What's new in Fedora 19

What's new in Linux 3.10

Free Software post-PRISM

Kernel Log: Coming in 3.10 (Part 4) - Drivers

The trouble with "Business Source"

Kernel Log: Coming in 3.10 (Part 3) - Infrastructure

Whatever happened to Google?

Java EE 7 at a glance

Continuous database migration with Liquibase and Flyway

Unit testing with Node.js

Ruby 2.0 - the 20th birthday present

Linux Mint 15: A better Ubuntu for the desktop

What's new in Linux 3.9

Replacing Google Reader

Attacking TrueCrypt

The H

The H Open

The H Security

The H Developer

The H Internet Toolkit