Security Vulnerability in Geocortex Viewer for HTML5

If you use Geocortex Viewer for HTML5, update your apps!

From Drew Millen, Geocortex Product Manager at Latitude Geographics Group:

Yesterday we were made aware of a potential security issue affecting all versions of Geocortex Viewer for HTML5, thanks to a vigilant customer contacting our Support team.  While we don’t know of any specific attacks that may have exploited this vulnerability amongst our customers, we take potential security issues very seriously. We’re happy to report that we were able to respond quickly, and a patch will be available for download in the Geocortex Support Center in the coming hours. The patch involves replacing a single JavaScript file and does not require a re-install or that you update Geocortex Essentials.   We recommend customers with applications that use Geocortex Viewer for HTML5 (all versions) apply the patch. Note that the upcoming release of Geocortex Viewer for HTML5 2.4 will not expose this vulnerability. Here’s what you need to know:

  • This issue potentially allows a malicious attacker to craft a viewer URL that loads configuration and code from a domain under their control.
  • This issue is a result of the way viewer configurations have historically been loaded. In the past, attempts to load configurations from other domains were prevented by the browser; however, newer browsers have evolved to support a technology called Cross-Origin Resource Sharing (CORS), which now allows cross-domain requests to be made.
  • An attacker can craft a link to a viewer on a trusted domain, such as http: //trusted/viewer/index.html, that loads their malicious configuration file from a machine that they control. If the attacker’s server is configured correctly, they can serve malicious code to users who have been fooled into clicking the link.
  • An example of a malicious link could be: http: //trusted/viewer/index.html?configBase=http://go.geocortex.com/e/61102/2015-03-26/3qh36/47536401resources/config/default/
  • All browsers supporting CORS — including ones in iOS and Android — are susceptible.

Here’s what we recommend you do:

  • Download the applicable patches we are making available in the Geocortex Support Center. Click the “Geocortex Viewer for HTML5” link and look for Security Update 2015-03-26.zip.
  • Read instructions.txt for notes regarding potential changes to viewer launch links in certain advanced scenarios.
  • Follow instructions.txt for instructions on applying the patch.

We apologize for any inconvenience this issue may cause you. Please get in touch with us if you have any questions or if we can help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s