MapTools.org

[Chameleon] security issue with Layer Manager widget

Paul Spencer spencer@dmsolutions.ca
Mon, 12 Jan 2004 08:52:53 -0500
Tom,

we'll investigate the best approach here and track it through bug 177 on 
maptools.org.

Cheers,

Paul

Kralidis,Tom [Burlington] wrote:

> Hi,
> 
> Paul: thanks for filing this in bugzilla.  We'll have to somewhow turn this
> off in our deployment, as it poses a security risk to our IT i/f.
> 
> Can something like SWIG be used here to glue PHP to C?
> 
> ..Tom
> 
> =========================
> Tom Kralidis
> Systems Scientist
> Environment Canada
> Tel: +01-905-336-4409
> http://www.ec.gc.ca/cise/
> ========================= 
> 
> 
>>-----Original Message-----
>>From: Paul Spencer [mailto:pagameba@magma.ca]
>>Sent: Sunday, January 11, 2004 9:07 AM
>>To: Holland-Hibbert,Susan [Burlington]
>>Cc: 'chameleon@lists.maptools.org'; Astolfo,Rebecca 
>>[Burlington]; Kralidis,Tom [Burlington]; Hall,Sarah 
>>[Dartmouth]; Alexander,Ryan [Dartmouth]
>>Subject: Re: [Chameleon] security issue with Layer Manager widget
>>
>>
>>Susan, this is an interesting problem.  I'm not sure yet how
>>we can work 
>>around it.  I guess one way would be to recode the wmsparse 
>>utility as a 
>>cgi.
>>
>>I'll post a bug on this.
>>
>>Cheers,
>>
>>Paul
>>
>>Holland-Hibbert,Susan [Burlington] wrote:
>>
>>
>>>Hi all,
>>>
>>> 
>>>
>>>Our IT group has recently installed Chameleon on a Windows based
>>>system
>>>and have discovered a bit of a security risk in the Layer Manager 
>>>widget.  We have installed the following components on a 
>>
>>Windows Server
>>
>>>2000 and Windows XP machine:
>>>
>>> 
>>>
>>>IIS 5.1
>>>
>>>PHP 4.3.4
>>>
>>>Mapscript 4.0.1
>>>
>>>Mapserver 4.0.1
>>>
>>>Chameleon 1.0.4
>>>
>>> 
>>>
>>>When Chameleon is installed on XP, the Manage Servers button inside
>>>the
>>>Layer Manager widget (labelled "Manage Layers" on the CWC2 demo 
>>>application) returns the following error when a URL is entered to 
>>>connect to a WMS server:
>>>
>>> 
>>>
>>>Warning: exec(): Unable to fork 
>>>[C:\MapServerTools\CWC2\htdocs\common\wmsparse\win32\wmsparse.exe...
>>>
>>> 
>>>
>>>The error is reported on the PHP site as a bug
>>>(http://bugs.php.net/bug.php?id=14897) .  Basically, PHP
>>
>>(with IIS) runs
>>
>>>using the web account (IWAM_<machinename>) and the web
>>
>>account needs
>>
>>>execute access on the cmd.exe file, which is located (on a standard
>>>installation) in the c:\windows\system32 subdirectory.  XP 
>>
>>automatically
>>
>>>locks down this file and in order to get the Manager
>>
>>Servers button to
>>
>>>work, I had to give IWAM_<machinename> execute access on
>>
>>the file, not
>>
>>>something my web server administrators like.   The default security 
>>>settings for Windows 2000 server allow Everyone to execute
>>
>>this file
>>
>>>which is a security risk.  Just as a note: the default settings for
>>>Windows NT Server locked down the file.
>>>
>>> 
>>>
>>>Our temporary solution is to not use the Layer Manager
>>
>>widget, but we
>>
>>>anticipate building some applications in the future where
>>
>>our client
>>
>>>would like to have the functionality of the Layer Manager.
>>
>>Has anyone
>>
>>>else experienced this problem and if so, are there any
>>
>>solutions out
>>
>>>there?
>>>
>>> 
>>>
>>>Thanks, Sue
>>>
>>> 
>>>
>>>_____________________________________________________
>>>
>>> 
>>>
>>>**Susan Holland-Hibbert**
>>>
>>>GIS Specialist / Spécialiste en SIG
>>>
>>>Information Technology Division / Division de la technologie de 
>>>l'information
>>>
>>>Ontario Region / Région de l'Ontario
>>>
>>>Environment Canada / Environnement Canada
>>>
>>>867 Lakeshore Rd. / 867, rue Lakeshore
>>>
>>>Burlington, ON  L7R 4A6
>>>
>>> 
>>>
>>>Tel/Tél: (905) 336-6449   Fax/Télécopier: (905) 336-4906
>>>
>>>E-mail/Courriel:  susan.holland-hibbert@ec.gc.ca
>>>
>>> 
>>>
>>
>>-- 
>>  -----------------------------------------------------------------
>>|Paul Spencer                           spencer@dmsolutions.ca    |
>>|-----------------------------------------------------------------|
>>|Applications & Software Development                              |
>>|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
>>  -----------------------------------------------------------------
>>
>>_______________________________________________
>>Chameleon mailing list
>>Chameleon@lists.maptools.org
>>http://lists.maptools.org/mailman/listinfo/cha> meleon
>>
> 
> 
> _______________________________________________
> Chameleon mailing list
> Chameleon@lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon
> 

-- 
  -----------------------------------------------------------------
|Paul Spencer                           spencer@dmsolutions.ca    |
|-----------------------------------------------------------------|
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
  -----------------------------------------------------------------



This archive was generated by Pipermail.