Trace: Mapbender

Mapbender

From GISWiki

Mapbender is a graduated project of the Open Source Geospatial Foundation. Read more about Mapbender in the project Wiki.

1 Introduction
2 Categorization
3 External links

Introduction

Mapbender is a web mapping software implemented in PHP and en:JavaScript, the configuration resides in a data model stored in a PostgreSQL PostGIS or MySQL database. It is developed as an Open Source project and licensed by the GNU GPL as Free Software. Mapbender is a framework for managing spatial data services that are standardized following the OGC specifications OWS, WMS and WFS and using the formats GeoRSS and GML and Web Map Context. The framework implements user management, authentication and authorization. Management interfaces for user, group and service administration are stored as configurations in the database.

The software is used to display, overlay, edit and manage distributed Web Map Services. The maps themselves are generated by Server software. From this perspective Mapbender is a client software. The client interfaces are generated dynamically by PHP scripts on the Mapbender Server.

User Interface

User interfaces are created using forms of the same web based type. User interfaces contain elements (buttons, maps, legends, links), each has associated HTML attributes, path to PHP modules or JavaScript code which are stored in the database. Basic modules implement:

zoom in and out
pan map
click and query (OGC WMS GetFeatureInfo)
turn layers on and off
move to coordinate (zoom to)
get coordinate (mouse click)
digitize (add new points, lines, polygons; this requires transactional WFS)
load map services (OGC WMS)
reorder and remove map services
show legend
print
search interfaces
store current map composition as OGC Web Map Context document

User interfaces can be started parameterized with a bounding box, set of services and set of activated layers. The module list is maintained in the Mapbender Wiki.

Administration Interfaces

Administration interfaces are user interfaces with administration modules. This makes administration highly flexible and multi client capable (both multiple interfaces and user/group permission). Administration modules include management (add, edit, remove) of:

users
groups
interfaces (GUI)
WMS services
WFS and transactional WFS services
OWS Security Proxy
Metadata
Log and protocol
Service monitor

Security

During a penetration test RedTeam Pentesting GmbH discovered a remote command execution vulnerability in Mapbender. An unauthorized user can create arbitrary PHP-files on the Mapbender webserver, which can later be executed.

Furtherore the team discovered multiple SQL-Injections in Mapbender. A remote attacker is able to execute arbitrary SQL commands and therefore can get e.g. valid usernames and password hashes of the Mapbender users.

Affected are Versions 2.4 - 2.4.4 (verified) and probably older versions too.

The Mapbender Project Image Gallery

The Mapbender Gallery shows a selection of apllications implemented with Mapbender software. If you find an application with Mapbender software in the internet or operate one yourself, please feel free to add them Wiki-style to the Mapbender User Map with the new geo data editor (flag button).

Categorization

Mapbender is designed to manage loosely coupled web services in a SOA. Due to some glitches in early GIS history with Coordinate systems, Cartesian coordinate systems and Surveying this can sometimes be somewhat complex. A good example is the Axis Order Confusion explained in the OSGeo Wiki.

The Mapbender software covers the following topics: