There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing attackers to inject malicious code into the server. This vulnerability enables remote, unauthenticated attackers to compromise user browsers by executing arbitrary JavaScript within the context of the ArcGIS Server, potentially leading to account takeover or data exfiltration.
Step 1: Payload Creation: The attacker crafts a malicious payload containing JavaScript code designed to exploit the XSS vulnerability. This payload could be designed to steal cookies, redirect users, or perform other malicious actions.
Step 2: Payload Delivery: The attacker uploads a file containing the malicious JavaScript payload to the ArcGIS Server. This is achieved by exploiting a file upload functionality or a data storage mechanism within the server that lacks proper input validation.
Step 3: Payload Storage: The ArcGIS Server stores the uploaded file, including the malicious JavaScript payload, without sanitizing or filtering the code.
Step 4: Victim Interaction: A legitimate user accesses a resource or interacts with a feature on the ArcGIS Server that triggers the execution of the stored file containing the malicious JavaScript. This could be through viewing a map, accessing a data layer, or interacting with a specific application.
Step 5: Payload Execution: The victim's browser executes the malicious JavaScript payload within the context of the ArcGIS Server. This allows the attacker to control the user's browser and perform actions on their behalf.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data when handling file uploads or data storage within ArcGIS Server. Specifically, the server fails to properly sanitize user-provided input before storing it, allowing an attacker to inject malicious JavaScript code into files. When a legitimate user accesses the server and interacts with the stored files, the malicious JavaScript executes within their browser, leading to the XSS vulnerability. The root cause is likely a missing or inadequate implementation of security measures to prevent the storage of malicious code. This could be due to a lack of proper input validation, output encoding, or content security policy (CSP) enforcement.