MapTools.org

[Chameleon] security issue with Layer Manager widget

Paul Spencer spencer@dmsolutions.ca
Sun, 11 Jan 2004 09:06:56 -0500 
Susan, this is an interesting problem.  I'm not sure yet how we can work 
around it.  I guess one way would be to recode the wmsparse utility as a 
cgi.

I'll post a bug on this.

Cheers,

Paul

Holland-Hibbert,Susan [Burlington] wrote:

> Hi all,
> 
>  
> 
> Our IT group has recently installed Chameleon on a Windows based system 
> and have discovered a bit of a security risk in the Layer Manager 
> widget.  We have installed the following components on a Windows Server 
> 2000 and Windows XP machine:
> 
>  
> 
> IIS 5.1
> 
> PHP 4.3.4
> 
> Mapscript 4.0.1
> 
> Mapserver 4.0.1
> 
> Chameleon 1.0.4
> 
>  
> 
> When Chameleon is installed on XP, the Manage Servers button inside the 
> Layer Manager widget (labelled "Manage Layers" on the CWC2 demo 
> application) returns the following error when a URL is entered to 
> connect to a WMS server:
> 
>  
> 
> Warning: exec(): Unable to fork 
> [C:\MapServerTools\CWC2\htdocs\common\wmsparse\win32\wmsparse.exe...
> 
>  
> 
> The error is reported on the PHP site as a bug 
> (http://bugs.php.net/bug.php?id=14897) .  Basically, PHP (with IIS) runs 
> using the web account (IWAM_<machinename>) and the web account needs 
> execute access on the cmd.exe file, which is located (on a standard 
> installation) in the c:\windows\system32 subdirectory.  XP automatically 
> locks down this file and in order to get the Manager Servers button to 
> work, I had to give IWAM_<machinename> execute access on the file, not 
> something my web server administrators like.   The default security 
> settings for Windows 2000 server allow Everyone to execute this file 
> which is a security risk.  Just as a note: the default settings for 
> Windows NT Server locked down the file.
> 
>  
> 
> Our temporary solution is to not use the Layer Manager widget, but we 
> anticipate building some applications in the future where our client 
> would like to have the functionality of the Layer Manager.  Has anyone 
> else experienced this problem and if so, are there any solutions out 
> there? 
> 
>  
> 
> Thanks, Sue
> 
>  
> 
> _____________________________________________________
> 
>  
> 
> **Susan Holland-Hibbert** 
> 
> GIS Specialist / Spécialiste en SIG
> 
> Information Technology Division / Division de la technologie de 
> l'information
> 
> Ontario Region / Région de l'Ontario
> 
> Environment Canada / Environnement Canada
> 
> 867 Lakeshore Rd. / 867, rue Lakeshore
> 
> Burlington, ON  L7R 4A6
> 
>  
> 
> Tel/Tél: (905) 336-6449   Fax/Télécopier: (905) 336-4906
> 
> E-mail/Courriel:  susan.holland-hibbert@ec.gc.ca
> 
>  
> 

-- 
  -----------------------------------------------------------------
|Paul Spencer                           spencer@dmsolutions.ca    |
|-----------------------------------------------------------------|
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
  -----------------------------------------------------------------

This archive was generated by Pipermail.
MapTools.org -- Hosted by DM Solutions Group