MapServer < 5.2.2 / 4.10.4 Multiple Flaws

high Nessus Plugin ID 36074


The remote web server contains a CGI script that is affected by multiple flaws.


The remote host is running MapServer, an open source Internet map server. The installed version of MapServer is affected by multiple flaws :

- By creating a map file with overly long IMAGEPATH and/or NAME attribute(s), it may be possible to trigger a stack-based buffer overflow. (CVE-2009-0839)

- It may be possible to trigger a heap-based buffer overflow by sending a HTTP POST request with 'CONTENT_LENGTH' attribute set to '-1'. (CVE-2009-0840) Note: According to some reports this issue might have been incorrectly fixed, see references for more info.

- It may be possible to create arbitrary files by specifying file names to the 'id' parameter.

- Provided an attacker has privileges to create symlinks on the file system, it may be possible to partially read the contents of arbitrary files. (CVE-2009-0842)

- Provided an attacker has knowledge of a valid map file, it may be possible to determine if an arbitrary file exists on the remote system. (CVE-2009-0843)

- Sufficient boundary checks are not performed on 'id' parameter in mapserver.c. An attacker may exploit this issue to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (CVE-2009-1176)

- File maptemplate.c is affected by multiple stack-based overflow issues. (CVE-2009-1177)


Upgrade to MapServer 5.2.2/4.10.4.

See Also

Plugin Details

Severity: High

ID: 36074

File Name: mapserver_5_2_2.nasl

Version: 1.17

Type: remote

Family: CGI abuses

Published: 4/2/2009

Updated: 6/1/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: Settings/ParanoidReport, www/mapserver

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2009-0839, CVE-2009-0840, CVE-2009-0841, CVE-2009-0842, CVE-2009-0843, CVE-2009-1176, CVE-2009-1177

BID: 34306

CWE: 119, 20, 200, 22

Secunia: 34520