MapServer Cross-site Scripting Security Risk
Overview
Reflected cross-site scripting (XSS) is typically used to launch site impersonation or phishing attacks, in which unsuspecting users are lured to malicious sites via links that appear legitimate. The attacker is then free to present the user with what appears to be genuine content, in an attempt, for example, to capture authentication credentials. There is a vulnerability in the version of MapServer that we use that is exposed through GetOWS. This has been mitigated through restricting the requests in IIS (without affecting iShare capabilities) and GetOWS will be patched in the next release of iShare v5.8 to prevent the vulnerability being exploited. iShare v6.0 will have both that fix and will be using a later, non-vulnerable, version of MapServer.