SUIS, security issues »

There are a few security issues to deal with when running the ShapeUp Image Server.

The administration/configuration, as well as the actual map image requests are handled through an HTTP/HTML interface. Administration uses one port, and image requests another. It is thus possible to configure the server remote, but this also gives a security problem.

It is recommended that the port used for administration is blocked in the firewall.

With image requests in its most general form, the client/end-user has full control over what parameters to use when generating the image, which means the user can:

1. Request a super large image.
2. Request any portion of your map.
3. Request a map of arbitrary scale.

To solve issue 1, SUIS should be set-up with a maximum allowed image width and height.

To solve any of the three issues, one of the following could be done:

• Create an Image Server Extension, which does not expose these parameters, and checks for out-of-bound conditions.
• Create a server side script which fetches the image from SUIS and returns it to the client, hiding the parameters above. In this case, the server running SUIS should be set-up not to accept any requests from other clients than the server running the web server.

It is not recommended, though possible, to use SUIS as the main web server.

If the map data has no dynamic behaviour, and only fixed zoom levels, it is possible to use ShapeUp to pre-generate a grid of map images which could be used instead. In this case, there is no need to use SUIS at all, unless the pre-generated maps requires more disc resources than affordable.

Back