Source: psirt@esri.com
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing attackers to inject malicious code into the server. This vulnerability enables remote, unauthenticated attackers to compromise user browsers by serving crafted files containing malicious JavaScript, potentially leading to account takeover or data exfiltration.
Step 1: Payload Creation: The attacker crafts a file (e.g., HTML, JavaScript, or a file that can be rendered by the server) containing malicious JavaScript code. This code is designed to execute within the context of a user's browser.
Step 2: File Upload: The attacker leverages a vulnerable feature of ArcGIS Server (e.g., a file upload functionality within a web application or service) to upload the crafted file to the server. The server stores the file without proper sanitization.
Step 3: File Storage: The server stores the uploaded file, potentially making it accessible via a URL.
Step 4: Victim Interaction: A legitimate user accesses a page or service within ArcGIS Server that renders the attacker's uploaded file. This could be a map service, a web application, or any other feature that displays the uploaded content.
Step 5: Malicious Code Execution: The user's browser executes the malicious JavaScript code embedded within the uploaded file. This allows the attacker to perform actions within the user's browser context, such as stealing cookies, redirecting the user to a phishing site, or modifying the content of the page.
The vulnerability stems from insufficient input validation and output encoding within ArcGIS Server's file handling mechanisms. Specifically, the server fails to properly sanitize user-supplied data when storing files. An attacker can upload a file containing malicious JavaScript code, which is then stored on the server. When a legitimate user accesses a page that renders this stored file (e.g., through a map service or other ArcGIS functionality), the malicious JavaScript executes within the user's browser context. The root cause is likely a missing or inadequate input validation step during file upload and a failure to HTML-encode the content when serving it back to the client. This allows the attacker to inject arbitrary HTML and JavaScript, leading to XSS.
While no specific APTs are directly linked in this CVE, XSS vulnerabilities are commonly exploited by a wide range of threat actors, from opportunistic attackers to more sophisticated groups. The potential for data exfiltration and account compromise makes this attractive to various actors. CISA KEV status is likely to be added soon due to the severity and ease of exploitation.
Monitor web server logs for suspicious file uploads, especially those with unusual extensions or content.
Analyze network traffic for unusual HTTP requests related to ArcGIS Server, particularly those involving file downloads or requests for potentially malicious files.
Implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts.
Monitor for changes in the ArcGIS Server file system, looking for the creation of unexpected files or modifications to existing ones.
Use a Security Information and Event Management (SIEM) system to correlate logs and identify suspicious activity patterns.
Upgrade to ArcGIS Server 11.5 or later, which includes a fix for this vulnerability.
Implement robust input validation to sanitize all user-supplied data before storing it on the server.
Implement output encoding to HTML-encode all data displayed to users, preventing the execution of malicious scripts.
Configure a Web Application Firewall (WAF) to filter malicious requests and prevent XSS attacks.
Regularly scan the ArcGIS Server installation for vulnerabilities and apply security patches promptly.
Implement a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
Review and harden the ArcGIS Server configuration, disabling unnecessary features and services.