MapTools.org

[Chameleon] security issue with Layer Manager widget

Holland-Hibbert,Susan [Burlington] Susan.Holland-Hibbert@ec.gc.ca
Fri, 9 Jan 2004 11:50:52 -0500 
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C3D6D0.BDE8FB50
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi all,

=20

Our IT group has recently installed Chameleon on a Windows based system =
and
have discovered a bit of a security risk in the Layer Manager widget.  =
We
have installed the following components on a Windows Server 2000 and =
Windows
XP machine:

=20

IIS 5.1

PHP 4.3.4

Mapscript 4.0.1

Mapserver 4.0.1

Chameleon 1.0.4

=20

When Chameleon is installed on XP, the Manage Servers button inside the
Layer Manager widget (labelled "Manage Layers" on the CWC2 demo =
application)
returns the following error when a URL is entered to connect to a WMS
server:

=20

Warning: exec(): Unable to fork
[C:\MapServerTools\CWC2\htdocs\common\wmsparse\win32\wmsparse.exe...

=20

The error is reported on the PHP site as a bug
(http://bugs.php.net/bug.php?id=3D14897 =
<http://bugs.php.net/bug.php?id=3D14897>
) .  Basically, PHP (with IIS) runs using the web account
(IWAM_<machinename>) and the web account needs execute access on the =
cmd.exe
file, which is located (on a standard installation) in the
c:\windows\system32 subdirectory.  XP automatically locks down this =
file and
in order to get the Manager Servers button to work, I had to give
IWAM_<machinename> execute access on the file, not something my web =
server
administrators like.   The default security settings for Windows 2000 =
server
allow Everyone to execute this file which is a security risk.  Just as =
a
note: the default settings for Windows NT Server locked down the file.

=20

Our temporary solution is to not use the Layer Manager widget, but we
anticipate building some applications in the future where our client =
would
like to have the functionality of the Layer Manager.  Has anyone else
experienced this problem and if so, are there any solutions out there?  =


=20

Thanks, Sue

=20

_____________________________________________________

=20

Susan Holland-Hibbert=20

GIS Specialist / Sp=E9cialiste en SIG

Information Technology Division / Division de la technologie de
l'information

Ontario Region / R=E9gion de l'Ontario

Environment Canada / Environnement Canada

867 Lakeshore Rd. / 867, rue Lakeshore=20

Burlington, ON  L7R 4A6

=20

Tel/T=E9l: (905) 336-6449   Fax/T=E9l=E9copier: (905) 336-4906

E-mail/Courriel:  susan.holland-hibbert@ec.gc.ca

=20


------_=_NextPart_001_01C3D6D0.BDE8FB50
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Comic Sans MS";
	panose-1:3 15 7 2 3 3 2 2 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{font-family:"Comic Sans MS";
	color:windowtext;
	font-weight:normal;
	font-style:normal;
	text-decoration:none none;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-CA link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Hi all,</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Our IT group has recently installed
Chameleon on a Windows based system and have discovered a bit of a =
security risk
in the Layer Manager widget.=A0 We have installed the following =
components on a
Windows Server 2000 and Windows XP machine:</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>IIS 5.1</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>PHP 4.3.4</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Mapscript 4.0.1</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Mapserver 4.0.1</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Chameleon 1.0.4</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>When Chameleon is installed on XP, =
the Manage
Servers button inside the Layer Manager widget (labelled "Manage =
Layers"
on the CWC2 demo application) returns the following error when a URL is =
entered
to connect to a WMS server:</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Warning</span></font><font size=3D2
face=3D"Comic Sans MS"><span =
style=3D'font-size:10.0pt;font-family:"Comic Sans MS"'>:
exec(): Unable to fork
[C:\MapServerTools\CWC2\htdocs\common\wmsparse\win32\wmsparse.exe...</sp=
an></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>The error is reported on the PHP =
site as a
bug (<a href=3D"http://bugs.php.net/bug.php?id=3D14897">http://bugs.php.=
net/bug.php?id=3D14897</a>)
.=A0 Basically, PHP (with IIS) runs using the web account =
(IWAM_&lt;machinename&gt;)
and the web account needs execute access on the cmd.exe file, which is =
located
(on a standard installation) in the c:\windows\system32 =
subdirectory.=A0 XP
automatically locks down this file and in order to get the Manager =
Servers
button to work, I had to give IWAM_&lt;machinename&gt; execute access =
on the
file, not something my web server administrators like.=A0=A0 The =
default security
settings for Windows 2000 server allow Everyone to execute this file =
which is a
security risk.=A0 Just as a note: the default settings for Windows NT =
Server locked
down the file.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Our temporary solution is to not =
use the
Layer Manager widget, but we anticipate building some applications in =
the
future where our client would like to have the functionality of the =
Layer
Manager.=A0 Has anyone else experienced this problem and if so, are =
there any
solutions out there?=A0 </span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Thanks, Sue</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>_____________________________________________________=
</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span></font></p>

<p class=3DMsoNormal><strong><b><font size=3D2 face=3D"Comic Sans =
MS"><span
style=3D'font-size:10.0pt;font-family:"Comic Sans MS"'>Susan =
Holland-Hibbert</span></font></b></strong>&nbsp;</p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>GIS Specialist / Sp=E9cialiste en =
SIG</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Information Technology Division / =
Division
de la technologie de l'information</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Ontario Region / R=E9gion de =
l'Ontario</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Environment =
</span><st1:country-region><st1:place></font><font
  size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Canada</span></st1:place></=
st1:country-region></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> /
Environnement </span><st1:country-region><st1:place></font><font =
size=3D2
  face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Canada</span></st1:place></=
st1:country-region></font></p>

<p class=3DMsoNormal><font size=3D2 =
face=3DArial><st1:Street><st1:address><span
  style=3D'font-size:10.0pt;font-family:Arial'>867 Lakeshore =
Rd.</span></st1:address></st1:Street></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> / 867, rue
Lakeshore </span></font></p>

<p class=3DMsoNormal><font size=3D2 =
face=3DArial><st1:place><st1:City><span
  =
style=3D'font-size:10.0pt;font-family:Arial'>Burlington</span></st1:City=
></font><font
 size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>, =
</span><st1:State></font><font
  size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>ON</span></st1:State></font=
><font
 size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> =A0</span><st1:PostalCode>=
</font><font
  size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>L7R =
4A6</span></st1:PostalCode></st1:place></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>Tel/T=E9l: (905) 336-6449=A0=A0 =
Fax/T=E9l=E9copier:
(905) 336-4906</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Comic Sans MS"><span =
style=3D'font-size:
10.0pt;font-family:"Comic Sans MS"'>E-mail/Courriel:=A0
susan.holland-hibbert@ec.gc.ca</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C3D6D0.BDE8FB50--

This archive was generated by Pipermail.
MapTools.org -- Hosted by DM Solutions Group