There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code. This vulnerability enables attackers to store malicious files that execute within a victim's browser, potentially leading to account compromise and data exfiltration. Successful exploitation could result in a complete compromise of the ArcGIS Server environment.
Step 1: Payload Creation: The attacker crafts a malicious file (e.g., HTML, JavaScript, or a file containing JavaScript) that includes a cross-site scripting payload. This payload is designed to execute arbitrary JavaScript code within a victim's browser.
Step 2: Payload Delivery: The attacker leverages a specific configuration or feature of ArcGIS Server (e.g., a file upload functionality, a data import process, or a data storage mechanism) to upload or store the malicious file on the server. The attacker may need to identify a specific endpoint or process that lacks proper input validation.
Step 3: Payload Storage: The ArcGIS Server, due to insufficient input validation, stores the malicious file without sanitizing or encoding the injected JavaScript code.
Step 4: Victim Interaction: A legitimate user accesses a page or resource on the ArcGIS Server that includes or references the attacker's stored malicious file. This could be through a link, a map, or a data visualization.
Step 5: Payload Execution: The victim's browser executes the malicious JavaScript code embedded within the attacker's file. This code runs in the context of the victim's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user to a phishing site, or modifying the content of the page.
The vulnerability stems from insufficient input validation and output encoding when handling user-supplied data, specifically during file uploads or data storage within the ArcGIS Server environment. The server fails to properly sanitize user-provided input, allowing an attacker to inject malicious JavaScript code into files that are then stored on the server. When a legitimate user accesses a page or resource that includes the attacker's stored malicious file, the injected JavaScript executes in the context of the user's browser, enabling the attacker to steal cookies, redirect the user, or perform other malicious actions. The root cause is likely a missing or inadequate implementation of HTML encoding and input validation for file uploads and data storage, allowing the attacker to bypass security measures and inject malicious code. The lack of proper content security policy (CSP) further exacerbates the vulnerability, as it does not prevent the execution of the injected JavaScript.