MapServer - WFS XML Filter Query SQL injection

MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Mapserver SQL注入漏洞

Mapserver是开源地理空间（Osgeo）基金会的一套用于将空间数据和交互式地图应用程序发布到Web的开源平台。 Mapserver 8.4.1之前版本存在SQL注入漏洞，该漏洞源于XML Filter Query指令PropertyName存在布尔型SQL注入，可通过引入双引号字符绕过表达式检查，可能导致操纵后端数据库查询。

N/A

N/A