MapTools.org

[Chameleon] security issue with Layer Manager widget

Kralidis,Tom [Burlington] Tom.Kralidis@ec.gc.ca
Mon, 12 Jan 2004 07:41:15 -0500 
Hi,

Paul: thanks for filing this in bugzilla.  We'll have to somewhow turn this
off in our deployment, as it poses a security risk to our IT i/f.

Can something like SWIG be used here to glue PHP to C?

..Tom

=========================
Tom Kralidis
Systems Scientist
Environment Canada
Tel: +01-905-336-4409
http://www.ec.gc.ca/cise/
========================= 

> -----Original Message-----
> From: Paul Spencer [mailto:pagameba@magma.ca]
> Sent: Sunday, January 11, 2004 9:07 AM
> To: Holland-Hibbert,Susan [Burlington]
> Cc: 'chameleon@lists.maptools.org'; Astolfo,Rebecca 
> [Burlington]; Kralidis,Tom [Burlington]; Hall,Sarah 
> [Dartmouth]; Alexander,Ryan [Dartmouth]
> Subject: Re: [Chameleon] security issue with Layer Manager widget
> 
> 
> Susan, this is an interesting problem.  I'm not sure yet how
> we can work 
> around it.  I guess one way would be to recode the wmsparse 
> utility as a 
> cgi.
> 
> I'll post a bug on this.
> 
> Cheers,
> 
> Paul
> 
> Holland-Hibbert,Susan [Burlington] wrote:
> 
> > Hi all,
> > 
> >  
> > 
> > Our IT group has recently installed Chameleon on a Windows based
> > system
> > and have discovered a bit of a security risk in the Layer Manager 
> > widget.  We have installed the following components on a 
> Windows Server
> > 2000 and Windows XP machine:
> > 
> >  
> > 
> > IIS 5.1
> > 
> > PHP 4.3.4
> > 
> > Mapscript 4.0.1
> > 
> > Mapserver 4.0.1
> > 
> > Chameleon 1.0.4
> > 
> >  
> > 
> > When Chameleon is installed on XP, the Manage Servers button inside
> > the
> > Layer Manager widget (labelled "Manage Layers" on the CWC2 demo 
> > application) returns the following error when a URL is entered to 
> > connect to a WMS server:
> > 
> >  
> > 
> > Warning: exec(): Unable to fork 
> > [C:\MapServerTools\CWC2\htdocs\common\wmsparse\win32\wmsparse.exe...
> > 
> >  
> > 
> > The error is reported on the PHP site as a bug
> > (http://bugs.php.net/bug.php?id=14897) .  Basically, PHP
> (with IIS) runs
> > using the web account (IWAM_<machinename>) and the web
> account needs
> > execute access on the cmd.exe file, which is located (on a standard
> > installation) in the c:\windows\system32 subdirectory.  XP 
> automatically
> > locks down this file and in order to get the Manager
> Servers button to
> > work, I had to give IWAM_<machinename> execute access on
> the file, not
> > something my web server administrators like.   The default security 
> > settings for Windows 2000 server allow Everyone to execute
> this file
> > which is a security risk.  Just as a note: the default settings for
> > Windows NT Server locked down the file.
> > 
> >  
> > 
> > Our temporary solution is to not use the Layer Manager
> widget, but we
> > anticipate building some applications in the future where
> our client
> > would like to have the functionality of the Layer Manager.
> Has anyone
> > else experienced this problem and if so, are there any
> solutions out
> > there?
> > 
> >  
> > 
> > Thanks, Sue
> > 
> >  
> > 
> > _____________________________________________________
> > 
> >  
> > 
> > **Susan Holland-Hibbert**
> > 
> > GIS Specialist / Spécialiste en SIG
> > 
> > Information Technology Division / Division de la technologie de 
> > l'information
> > 
> > Ontario Region / Région de l'Ontario
> > 
> > Environment Canada / Environnement Canada
> > 
> > 867 Lakeshore Rd. / 867, rue Lakeshore
> > 
> > Burlington, ON  L7R 4A6
> > 
> >  
> > 
> > Tel/Tél: (905) 336-6449   Fax/Télécopier: (905) 336-4906
> > 
> > E-mail/Courriel:  susan.holland-hibbert@ec.gc.ca
> > 
> >  
> > 
> 
> -- 
>   -----------------------------------------------------------------
> |Paul Spencer                           spencer@dmsolutions.ca    |
> |-----------------------------------------------------------------|
> |Applications & Software Development                              |
> |DM Solutions Group Inc                 http://www.dmsolutions.ca/|
>   -----------------------------------------------------------------
> 
> _______________________________________________
> Chameleon mailing list
> Chameleon@lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/cha> meleon
>

This archive was generated by Pipermail.
MapTools.org -- Hosted by DM Solutions Group