CVE-2023-25157: SQL Injection Vulnerabilities in GeoServer

July 23, 2023
Muhammad Kamran Hasan
GeoServer
SQL injection vulnerabilities
CQL_FILTER parameter
Proof of Concept (PoC)
Open Geospatial Consortium (OGC) Filter
Feature names
Common Query Language (CQL) filters
Mitigation strategies
GeoServer versions 2.21.4 and 2.22.2
PostGIS
Datastore
encode functions
PostGIS DataStore preparedStatements
Web Application Firewall (WAF)
Strong password policies
User authentication
Monitoring for unauthorized activity
CVE-2023-25157: SQL Injection Vulnerabilities in GeoServer

Introduction

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. On June 6, 2023, a security researcher disclosed two SQL injection vulnerabilities in GeoServer, tracked as CVE-2023-25157 and CVE-2023-25158.

Technical Details

The vulnerabilities were caused by a failure to properly sanitize user-supplied input in the CQL_FILTER parameter of the WFS and WMS protocols. This parameter is used to specify a filter expression that is used to select features from a geospatial dataset.

An attacker could exploit these vulnerabilities by injecting malicious SQL statements into the CQL_FILTER parameter. This could allow the attacker to execute arbitrary SQL commands on the GeoServer database, which could lead to unauthorized data access or modification, denial of service, or other attacks.

The vulnerabilities have been patched in GeoServer versions 2.21.4 and 2.22.2. Users of affected versions are advised to upgrade as soon as possible.

In the meantime, users can mitigate the vulnerabilities by disabling the PostGIS Datastore encode functions setting and enabling the PostGIS DataStore preparedStatements setting.

Impact of the Vulnerabilities

The impact of the vulnerabilities depends on the privileges of the user who is exploiting them. An attacker with administrator privileges could potentially gain complete control of the GeoServer server. An attacker with less privileges could still access sensitive data or disrupt the availability of the server.

Exploit PoC Explanation

This script is a Proof of Concept (POC) for demonstrating SQL Injection vulnerabilities in GeoServer's OGC (Open Geospatial Consortium) Filter feature. Let's break down the script step by step:

  • Importing Required Modules: The script imports the necessary modules, including `requests` for making HTTP requests, `sys` for command-line arguments, `xml.etree.ElementTree` for parsing XML, and `json` for handling JSON data.

  • Colored Output Codes: The script defines some ANSI color codes for generating colored output in the terminal.

  • Command-Line Arguments: The script checks if it has been provided with the necessary URL parameter. If not, it displays a usage message and exits.

  • URL and Proxy Settings: The target URL is retrieved from the command-line arguments, and there's an option to enable a proxy if needed (by default, it's disabled).

  • Retrieving Feature Names: The script sends a GET request to the target GeoServer with the `GetCapabilities` request to obtain a list of available feature names. It then extracts and prints these feature names.

  • Sending Requests with CQL_FILTERs: The script proceeds to send requests for each feature name and applies various CQL_FILTERs (Common Query Language filters) to demonstrate the SQL Injection vulnerability. The CQL_FILTERs are constructed with different filter functions like "strStartsWith", "PropertyIsLike", etc. The `CQL_FILTER` parameter is manipulated with the vulnerable payload.

  • Handling Responses: For each request, the script checks the response status code. If the status code is 200 (OK), it processes the JSON response to extract property names and prints them. Then, it proceeds to send further requests with the `CQL_FILTER` payload for each property and prints the result, indicating whether the request was successful or if an error occurred.

  • Final Output: The script prints the results in colored format, showing the available feature names, properties, and any potential SQL Injection vulnerabilities (if applicable).

This script is intended for educational and demonstration purposes only and should be used responsibly. Unauthorized use against systems you don't own or without explicit permission is illegal and unethical. Always follow responsible disclosure guidelines and respect the security and privacy of others.

Mitigation Strategies

The following mitigation strategies can be used to protect against CVE-2023-25157 and CVE-2023-25158:

  • Upgrade to GeoServer versions 2.21.4 or 2.22.2.

  • Disable the PostGIS Datastore encode functions setting.

  • Enable the PostGIS DataStore preparedStatements setting.

  • Use a web application firewall (WAF) to filter malicious requests.

  • Implement strong password policies and user authentication.

  • Monitor your GeoServer server for signs of unauthorized activity.

Conclusion

CVE-2023-25157 and CVE-2023-25158 are serious vulnerabilities that could be exploited by attackers to gain unauthorized access to GeoServer servers. Users of affected versions are advised to upgrade as soon as possible. In the meantime, users can mitigate the vulnerabilities by disabling the PostGIS Datastore encode functions setting and enabling the PostGIS DataStore preparedStatements setting.

References

CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
2024-10-26
Kamran Hasan
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
2024-05-26
James McGill
CVE-2021-43798: Path Traversal in Grafana
CVE-2021-43798: Path Traversal in Grafana
2024-03-30
James McGill
CVE-2021-3129: Remote Code Execution in Laravel
CVE-2021-3129: Remote Code Execution in Laravel
2024-02-14
James McGill
CVE-2024-28116: Server-Side Template Injection in Grav CMS
CVE-2024-28116: Server-Side Template Injection in Grav CMS
2024-03-24
James McGill
CVE-2022-42889: Remote Code Execution in Apache Commons Text
CVE-2022-42889: Remote Code Execution in Apache Commons Text
2024-01-13
James McGill