GeoServer, a Java-based open-source software server facilitating the sharing and manipulation of geospatial data, encountered a security challenge on June 6, 2023. Specifically, two SQL injection vulnerabilities, identified as CVE-2023–25157 and CVE-2023–25158, were brought to light by a security researcher.

Technical Insights

The vulnerabilities stemmed from inadequate sanitization of user-input within the CQL_FILTER parameter of the WFS and WMS protocols. This parameter plays a crucial role in defining a filter expression used to select features from geospatial datasets.

Exploitation of these vulnerabilities involves injecting harmful SQL statements into the CQL_FILTER parameter. This could empower an attacker to execute arbitrary SQL commands on the GeoServer database, potentially resulting in unauthorized data access or modification, denial of service, and other malicious actions.

Resolution and Mitigation

The identified vulnerabilities have been addressed in GeoServer versions 2.21.4 and 2.22.2. Users utilizing affected versions are strongly advised to promptly upgrade.

As a temporary measure, users can mitigate the vulnerabilities by deactivating the PostGIS Datastore encode functions setting and activating the PostGIS DataStore preparedStatements setting.

Assessment of Impact

The severity of the vulnerabilities varies based on the privileges held by the exploiting user. An attacker with administrator privileges could potentially assume complete control of the GeoServer server. Even with lesser privileges, an attacker could still compromise sensitive data or disrupt server availability.

Proof of Concept (PoC) Exploitation Explanation

This script serves as a Proof of Concept (PoC) to illustrate the existence of SQL Injection vulnerabilities within GeoServer’s OGC (Open Geospatial Consortium) Filter feature. Let’s delve into the script’s functionality step by step:

1. Importing Essential Modules: The script begins by importing required modules, such as ‘requests’ for handling HTTP requests, ‘sys’ for managing command-line arguments, ‘xml.etree.ElementTree’ for XML parsing, and ‘json’ for handling JSON data.

2. Color-Coded Output Designation: ANSI color codes are defined within the script to facilitate color-enhanced output in the terminal.

3. Command-Line Argument Verification: The script checks for the presence of the necessary URL parameter. If absent, it displays a usage message and exits.

4. URL and Proxy Configuration: The target URL is obtained from the provided command-line arguments, with an optional proxy activation (disabled by default).

5. Retrieving Feature Names: A GET request is dispatched to the targeted GeoServer using the ‘GetCapabilities’ request, retrieving a list of available feature names. The script then extracts and displays these feature names.

6. Requesting with CQL_FILTERs: The script proceeds to send requests for each feature name, incorporating various CQL_FILTERs (Common Query Language filters) to showcase the SQL Injection vulnerability. CQL_FILTERs are crafted using different filter functions like “strStartsWith,” “PropertyIsLike,” etc., with the ‘CQL_FILTER’ parameter manipulated using the vulnerable payload.

7. Handling Response Data: For each request, the script examines the response status code. If it is 200 (OK), the script processes the JSON response to extract property names, printing them. Subsequently, it continues sending additional requests with the ‘CQL_FILTER’ payload for each property, displaying the results and indicating the success or failure of each request.

8. Final Output Presentation: The script culminates by presenting the results in a color-coded format, showcasing the available feature names, properties, and highlighting any potential SQL Injection vulnerabilities, if detected.

This script is designed exclusively for educational and illustrative purposes. It is imperative to use it responsibly. Engaging in unauthorized activities against systems that you do not own, or without explicit permission, is both illegal and unethical. Adherence to responsible disclosure guidelines is essential, and it is crucial to uphold the security and privacy of others at all times.

Mitigation Measures

To safeguard against CVE-2023–25157 and CVE-2023–25158, consider implementing the following mitigation measures:

1. Update your GeoServer to versions 2.21.4 or 2.22.2.

2. Deactivate the PostGIS Datastore encode functions setting.

3. Activate the PostGIS DataStore preparedStatements setting.

4. Employ a web application firewall (WAF) to screen and block malicious requests.

5. Enforce robust password policies and enhance user authentication measures.

6. Regularly monitor your GeoServer for any indications of unauthorized activities.

In Conclusion

The vulnerabilities presented by CVE-2023–25157 and CVE-2023–25158 pose significant threats, potentially allowing unauthorized access to GeoServer servers. Users utilizing impacted versions are strongly urged to promptly upgrade. Meanwhile, interim protection can be achieved by disabling the PostGIS Datastore encode functions setting and enabling the PostGIS DataStore preparedStatements setting.

• Exploit code: https://github.com/win3zz/CVE-2023-25157
• Security Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf

For personalize training Contact : [email protected]