There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code. This vulnerability enables attackers to compromise user browsers by storing and serving malicious files, potentially leading to account takeover and data exfiltration. Successful exploitation can result in a significant impact on organizations relying on ArcGIS Server for geospatial data management.
Step 1: Payload Creation: The attacker crafts a malicious file (e.g., HTML, JavaScript, or a file containing JavaScript) containing a XSS payload. This payload is designed to execute in a victim's browser when the file is accessed.
Step 2: File Upload: The attacker leverages a vulnerable file upload functionality within ArcGIS Server. This could be a feature designed for users to upload custom data, maps, or other resources. The attacker uploads the malicious file to the server.
Step 3: File Storage: ArcGIS Server stores the uploaded file, likely without proper sanitization or encoding of the file's content.
Step 4: Victim Interaction: A legitimate user (victim) accesses a resource or page within ArcGIS Server that references or displays the attacker-uploaded file. This could be through a map, a data visualization, or a similar feature.
Step 5: Payload Execution: The victim's browser renders the attacker-uploaded file. Because the file contains malicious JavaScript and the server did not sanitize the content, the JavaScript payload executes within the victim's browser, in the context of the ArcGIS Server domain.
Step 6: Attack Execution: The executed JavaScript allows the attacker to perform actions such as stealing cookies, redirecting the user to a phishing site, or modifying the content of the ArcGIS Server interface, leading to account compromise or data theft.
The vulnerability stems from insufficient input validation and output encoding within ArcGIS Server's file upload and storage mechanisms. Specifically, the server fails to properly sanitize user-supplied data, allowing an attacker to upload files containing malicious JavaScript code. When a victim's browser accesses these stored files, the malicious code executes within the context of the victim's session, leading to XSS. The root cause is likely a missing or inadequate implementation of HTML entity encoding or input validation on file content during the storage process. The server trusts the uploaded files without proper sanitization, leading to the execution of arbitrary JavaScript.