Update ArcGIS Server REST API for the Java Platform to not render an invalid text specified for output format (f=) in the HTML error page.

Description

A cross-site scripting (XSS) vulnerability has been identified in the ArcGIS Server REST API. The defect manifests itself when an ArcGIS REST Service request includes a malformed ‘f’ parameter (format).

The malformed format parameter is echoed back to the end user's browser without filtering. Successful exploitation of this vulnerability allows remote attackers to inject arbitrary Web scripts or HTML by way of the query string.

Note:
This article pertains to ArcGIS versions 9.x only. Later versions of ArcGIS may contain different functionality, as well as different names and locations for menus, commands and geoprocessing tools.

The following products are affected:

• ArcGIS Server 9.3 and 9.3.1 .NET
• ArcGIS Server 9.3 and 9.3.1 Java

Esri has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS) below, which indicates overall low to medium risk for this issue. Further information on this scoring system may be found at: Common Vulnerability Scoring System.

CVSS Ratings
Base Score: 2.6
Access Vector: Network
Access Complexity: High
Authentication: None required

Exploitability Score: 4.9
Confidentiality: None
Availability: None

Impact Score: 2.9
Confidentiality: None
Integrity: Partial
Availability: None

Cause

• The ESRI Security Team is not aware of any malicious exploitation of this vulnerability.
• This vulnerability was discovered during Web Application Security scanning.

Workaround

This vulnerability was addressed in ArcGIS Server 9.3.1 SP1.

Steps to Reproduce