MapServer WMS Server Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting (XSS) vulnerability has been identified in MapServer's Web Map Service (WMS) server, affecting versions 6.0 prior to 8.6.2. This vulnerability allows an unauthenticated attacker to inject arbitrary HTML or JavaScript into the browser of any user who opens a crafted WMS URL. The issue arises in WMS 1.3.0 requests when the FORMAT parameter is set to application/openlayers, combined with an unsanitized SRS parameter. In this version, the SRS parameter is accepted without validation, enabling script injection. This vulnerability has been patched in MapServer version 8.6.2.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a WMS 1.3.0 request with the FORMAT parameter set to application/openlayers. Include a crafted SRS parameter that contains unescaped script elements. When the response is viewed in a browser, the injected script will execute. In contrast, WMS 1.1.x correctly validates the SRS parameter and rejects such injections.

Remediation

Users are advised to upgrade to MapServer version 8.6.2, where this vulnerability has been patched.