[OSM-dev] Nominatim: security bug fix release

Sarah Hoffmann lonvia at denofr.de
Mon May 4 11:17:07 UTC 2020


Hi all,

A few days ago we have been informed about a security vulnerability in the
Nominatim API. Today we have released updates for all affected Nominatim
versions.

Today we have released new versions 3.4.2, 3.3.1 and 3.2.1 of Nominatim.
If you have your own installation of Nominatim, you should update as soon
as possible.

What is the problem?

  The /details endpoint fails to properly sanitize user input and uses it
  as is in an SQL query. This allows an attacker to inject arbitrary SQL
  code including querying and updating the database.

Which versions are affected?

  The code was added to Nominatim in April 2018. All releases since 3.2
  are affected. The bug has been fixed in 3.4.2, 3.3.1 and 3.2.1.

How is my installation affected?

  If you have followed the standard installation instructions, then the
  /details endpoint is available by default. The standard installation also
  adds a special user for the webserver which has only minimal read rights
  on the database. If you have not changed the rights, then the vulnerability
  can only be used to query the database.

How should I fix it?

  If you don't need the details API, then you can simply delete the file
  `website/details.php` to remove the endpoint. Otherwise, you should install
  the appropriate update for your version. No changes to the database are
  necessary. Simply download and build the new version, copy over your
  `settings/local.php` file and point your webserver to the new version.

A big thank you to @bladeswords for finding and reporting this.

Kind regards

Sarah




More information about the dev mailing list