Bug: ArcGIS Server Format Parameter Cross-Site Scripting (XSS) Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the ArcGIS Server REST API. The defect manifests itself when an ArcGIS REST Service request includes a malformed ‘f’ parameter (format).
The malformed format parameter is echoed back to the end user's browser without filtering. Successful exploitation of this vulnerability allows remote attackers to inject arbitrary Web scripts or HTML by way of the query string.
The following products are affected:
· ArcGIS Server 9.3 and 9.3.1 .NET
· ArcGIS Server 9.3 and 9.3.1 Java
ESRI has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS) below, which indicates overall low to medium risk for this issue. Further information on this scoring system may be found at: Common Vulnerability Scoring System.
Base Score: 2.6
Access Vector: Network
Access Complexity: High
Authentication: None required
Exploitability Score: 4.9
Impact Score: 2.9
· The ESRI Security Team is not aware of any malicious exploitation of this vulnerability.
· This vulnerability was discovered during Web Application Security scanning.
ArcGIS Server 9.3.1 SP1 will address this vulnerability. ArcGIS Server service packs may be found at: Patches and Service Packs for ArcGIS Server.
Until that time, ESRI is providing a variety of defense-in-depth workarounds that can significantly reduce your system's attack surface. Three common information system architecture components that can be configured to reduce or eliminate this vulnerability from being exploited are:
· Intrusion Prevention System (IPS)
· Web Application Firewall (WAF)
· Browser XSS Filters
If your organization has an IPS available, it is recommended to create a white-list of valid format parameters for ArcGIS Service requests. The ten valid format ‘f’ parameters are delineated at: REST API output formats.
Two free software solutions are ModSecurity for Java customers and URLScan for .NET users. ESRI has performed preliminary validation tests utilizing both products with ArcGIS Server 9.3.1 and their default configurations.
· Tested with Windows 2003 SP2, ModSecurity 2.5.10, Apache Web Server 2.2.14 with the current Core Rule Set.
· ModSecurity is available at: http://www.modsecurity.org/.
· Web service security scanning after implementation showed significant additional XSS security protection of ArcGIS Server 9.3.1.
· ModSecurity can be added directly to the Web servers with ArcGIS Server on them, or it can be added to a Reverse Proxy, which may already be in front of your AGS implementation.
· Developing a whitelist similar to the IPS suggestion above can be performed with ModSecurity to directly address this vulnerability, therefore minimizing risk.
· Since the Core Rule Set is not currently fully compatible with ArcGIS Manager, only have ModSecurity validate ArcGIS Services.
· Recommend starting without enable blocking (using log only) and note any discrepancies as necessary.
· Tested with Windows 2003 SP2, IIS, and URLScan 3.1 with the default configuration, which checks for brackets < > in the query string (a common XSS component).
· URLScan 3.1 is available at: http://www.iis.net/extensions/UrlScan.
· Web service security scanning after implementation showed improved XSS security protection of ArcGIS Server 9.3.1.
· URLScan is a point-and-click easy to install solution; however, it does not provide the full capabilities of a complete WAF.
Browser XSS Filters
New browsers, such as Internet Explorer 8, have XSS filters built in to help protect users. For an ArcGIS Server implementation on a LAN, the browser by default disables the XSS filter, so any clients are vulnerable. Whereas, external service requests have the XSS filter enabled by default, providing any client machines another layer of protection.
ESRI recommends evaluation in customer environments prior to usage in production.
ESRI strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.