There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
Esri ArcGIS Server 11.4 and earlier is vulnerable to a stored cross-site scripting (XSS) attack, allowing unauthenticated attackers to inject malicious code into the server. This vulnerability enables attackers to compromise user browsers, potentially leading to account takeover and data exfiltration.
Step 1: Payload Preparation: The attacker crafts a file (e.g., an HTML file, a JavaScript file, or a file containing JavaScript) that includes malicious JavaScript code designed to execute in a victim's browser.
Step 2: File Upload: The attacker leverages a file upload functionality within ArcGIS Server. This could be a feature designed for users to upload custom data, or a misconfigured or vulnerable component.
Step 3: Payload Storage: The malicious file is successfully uploaded and stored on the ArcGIS Server. The server does not properly validate or sanitize the file content or filename.
Step 4: Victim Interaction: A legitimate user accesses a page or resource within ArcGIS Server that displays or processes the uploaded file. This could be a map service, a web application, or a file download.
Step 5: Code Execution: The malicious JavaScript code within the uploaded file executes in the context of the user's browser. This allows the attacker to steal cookies, redirect the user, or perform other malicious actions.
Step 6: Attack Completion: The attacker achieves their objectives, such as stealing user credentials, defacing the website, or injecting further malware.
The vulnerability stems from insufficient input validation and output encoding within ArcGIS Server's file handling mechanisms. Specifically, the server fails to properly sanitize user-supplied data when storing files. An attacker can upload a file containing malicious JavaScript code. When a legitimate user accesses a page that displays or processes this file, the malicious JavaScript executes within the user's browser, due to the lack of proper content security policy (CSP) or input validation. The root cause is likely a missing or inadequate sanitization routine for file names or content, allowing the attacker to inject arbitrary HTML/JavaScript. This could be within a specific web service or a general file upload functionality. The lack of proper output encoding further exacerbates the issue, as the malicious code is not rendered harmless before being presented to the user.