There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server versions 11.4 and earlier are vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious JavaScript into the server. This can lead to account compromise, data theft, and complete system takeover if a victim, such as an administrator, views the compromised content. The vulnerability stems from improper input validation when handling file uploads, enabling attackers to store and execute arbitrary code within the context of a user's browser.
Step 1: Payload Creation: The attacker crafts a malicious file, such as an HTML file or a file containing JavaScript code, designed to execute within a victim's browser. This payload could include code to steal cookies, redirect users, or execute other malicious actions.
Step 2: File Upload: The attacker exploits a file upload functionality within ArcGIS Server. This could be a feature for uploading map data, images, or other related files. The attacker uploads the crafted malicious file to the server.
Step 3: Server Storage: The ArcGIS Server stores the uploaded malicious file, likely without proper sanitization or validation of the file's content.
Step 4: Victim Interaction: A legitimate user, such as an administrator or another user with access to the vulnerable content, accesses a page or feature within ArcGIS Server that displays or references the uploaded malicious file. This could be a map, a report, or any other element that incorporates the uploaded file.
Step 5: Payload Execution: The victim's browser renders the page, including the attacker's malicious file. Because the file was not properly sanitized, the JavaScript code within the file executes within the context of the victim's browser, allowing the attacker to perform actions on behalf of the victim.
The vulnerability lies within the file upload functionality of Esri ArcGIS Server. Specifically, the server fails to adequately sanitize user-supplied input, allowing attackers to upload files containing malicious JavaScript code. When a user, particularly an administrator, accesses a page containing the uploaded file, the malicious script executes within their browser. The root cause is likely a lack of proper input validation and output encoding when handling file uploads and rendering the uploaded content. The server doesn't adequately check the file type or content, allowing for the storage of malicious files. Furthermore, the server fails to properly sanitize the content before displaying it, leading to the execution of the injected JavaScript. This is a classic example of a stored XSS vulnerability, where the malicious payload is persistently stored on the server and served to unsuspecting users.