During an engagement, Jack Moran from ZX Security discovered a Server-Side Request Forgery (SSRF) and a Path Traversal sequence within the Precisely Spectrum Spatial Analyst ecosystem.

What is Precisely Spectrum Spatial Analyst?

Precisely Spectrum Spatial Analyst is an interactive mapping and analysis application, part of the Precisely Spectrum Spatial suite. It is an off the shelf product that offers a range of features out of the box to create and modify ‘vector thematic maps and reports’[1]. Precisely Spectrum Spatial Analyst offers an interactive mapping service and provides ‘access to mapping and geographic-based information, addresses and postcode searches’[1].

Server-Side Request Forgery

What is Server-Side Request Forgery?
Server-Side Request Forgery allows a threat actor to induce the back-end server of a vulnerable application to make requests. These requests can be used to target internal systems that are not initially accessible from the internet.

Where was the Server-Side Request Forgery?
The Server-Side Request Forgery issue was discovered in the /connect/analyst/controller/externalTileServiceProxy endpoint. This endpoint accepted an arbitrary URL as part of the REQUEST_URL= parameter. When the request is made, the server-side application is induced to make a request to an unintended location and embed the associated response. An example request can be seen below:

GET /connect/analyst/controller/externalTileServiceProxy?MAP_URL=[REDACTED]&REQUEST_URL=[REDACTED]&TYPE=XYZ&mapcfg=[REDACTED]&TILE_PROFILE=/Analyst/NamedExternalTilingConfigurations/Drone HTTP/1.1
Connection: close


Path Traversal Sequence Leads To Authentication Bypass

What is Path Traversal?
Path Traversal vulnerabilities allows a threat actor to request and access files and directories within a vulnerable application, which are usually protected or restricted by authentication methods.

Where was the Path Traversal Sequence?
The Path Traversal sequence vulnerability was discovered on multiple endpoints that accepted an arbitrary URL via the URL= parameter. Unlike traditional Path Traversals which requests a file or directory, this Path Traversal sequence allowed the inclusion of previously authenticated SOAP and REST API endpoints within the platform. Allowing additional functionality to be used bypassing the BASIC authentication that was previously preventing access to them. An example request can be seen below:

GET /connect/analyst/controller/connectProxy/rest/Spatial/ProjectService?url=../../../soap/&now=1655252233022 HTTP/1.1
Connection: close


Vulnerability Disclosure Timeline:

  • 19/08/2022 - ZX Security was sent confirmation that the vulnerabilities are being addressed by the vendor in the next release.
  • 08/10/2022 - Version 2022.1.0 S06 Released.
  • 18/10/2022 - CVE-2022-42182 and CVE-2022-42183 Reserved.
  • 16/11/2022 - Blog published :).


Latest event

BSides San Francisco


CityView at SF Metreon

BSides San Francisco is a non-profit organization designed to advance the body of Information Security knowledge by providing an annual, two-day, open forum for discussion and debate for security engineers and their affiliates. Presenters at BSides SF conferences are engaging the participants and getting the discussions started on the “Next Big Thing”, not preaching at you from the podium about last month’s news.

See all events
Contact us

Take the next step and talk to us today.