If you use Geocortex Viewer for HTML5, update your apps!
From Drew Millen, Geocortex Product Manager at Latitude Geographics Group:
- This issue potentially allows a malicious attacker to craft a viewer URL that loads configuration and code from a domain under their control.
- This issue is a result of the way viewer configurations have historically been loaded. In the past, attempts to load configurations from other domains were prevented by the browser; however, newer browsers have evolved to support a technology called Cross-Origin Resource Sharing (CORS), which now allows cross-domain requests to be made.
- An attacker can craft a link to a viewer on a trusted domain, such as http: //trusted/viewer/index.html, that loads their malicious configuration file from a machine that they control. If the attacker’s server is configured correctly, they can serve malicious code to users who have been fooled into clicking the link.
- An example of a malicious link could be: http: //trusted/viewer/index.html?configBase=http://go.geocortex.com/e/61102/2015-03-26/3qh36/47536401resources/config/default/
- All browsers supporting CORS — including ones in iOS and Android — are susceptible.
Here’s what we recommend you do:
- Download the applicable patches we are making available in the Geocortex Support Center. Click the “Geocortex Viewer for HTML5” link and look for Security Update 2015-03-26.zip.
- Read instructions.txt for notes regarding potential changes to viewer launch links in certain advanced scenarios.
- Follow instructions.txt for instructions on applying the patch.
We apologize for any inconvenience this issue may cause you. Please get in touch with us if you have any questions or if we can help.