Clarence Davis davisc

## bex-scan
Use of Hard-coded Credentials - Line 49 is check for bbox, not a credential
Missing Encryption of Sensitive Data - Test settings are not used in production enviornments
Cross-site Scripting - I am unable to reproduce the vulnerabilitiy using the documneted attack string

## gis:services
https://maps.floridadisaster.org/GIS/rest/services/Facilities/Designated_Evacuation_Routes/MapServer/
https://maps2.dcgis.dc.gov/dcgis/rest/services/DCGIS_DATA/ServiceRequests/MapServer/
https://idpgis.ncep.noaa.gov/arcgis/services/NWS_Observations/radar_base_reflectivity/MapServer/WMSServer
https://coast.noaa.gov/arcgis/rest/services/MarineCadastre/OceanUsesCalifornia/MapServer/
https://idpgis.ncep.noaa.gov/arcgis/services/NWS_Forecasts_Guidance_Warnings/NHC_Atl_trop_cyclones_active/MapServer/WMSServer
https://maps.cityofmadison.com/arcgis/rest/services/Water_Utility/MWU_Scheduled_Flushing/MapServer/
https://gis.fema.gov/arcgis/rest/services/NSS/NSS_flex_facilities/MapServer/
http://services.arcgisonline.com/arcgis/rest/services/Polar/Antarctic_Imagery/MapServer
http://w20.education.state.mn.us/arcgis/rest/services/DistrictAttendanceBoundaries/MapServer/
https://idpgis.ncep.noaa.gov/arcgis/rest/services/NOAA/MPA_Inventory_Fishing/MapServer/

## gist:f2f58bc99da0444e1a007897c50ee309
//Add this to map_viwer.html

<a ng-click="toggleFlightPath(); $event.stopPropagation();">
    <i class="material-icons visible">show_chart</i>
</a>


//Add this to viewer.js near line 429
var FLIGHT_PATH_CONST = true;
   $scope.toggleFlightPath = function (lyr) {

## charts.json
{
    "nvd3": {
        "tabAppleStocks": [{
            "key": "Apple Stocks",
            "values": [{
                "x": 1,
                "y": 0.5
            }, {
                "x": 2,
                "y": 1.5

## crimemap
<csw:Transaction xmlns:csw="http://www.opengis.net/cat/csw/2.0.2" xmlns:ows="http://www.opengis.net/ows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opengis.net/cat/csw/2.0.2 http://schemas.opengis.net/csw/2.0.2/CSW-publication.xsd" service="CSW" version="2.0.2" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dct="http://purl.org/dc/terms/" xmlns:registry="http://gis.harvard.edu/HHypermap/registry/0.1" >
<csw:Insert>
<csw:Record xmlns:registry="http://gis.harvard.edu/HHypermap/registry/0.1" >
<dc:identifier>78deee94-abb0-4d55-a589-022c9aa8f83c</dc:identifier>
<dc:title>American Bullfrog</dc:title>
<dc:type>dataset</dc:type>
<dc:format>OGC:WMS</dc:format>
<dct:modified>2017-05-17</dct:modified>
<dct:abstract>Jeremiah was a bullfrog</dct:abstract>
<dc:creator>Boundless</dc:creator>

## OpenLayers Date
/**
 * Namespace: OpenLayers.Date
 * Contains implementations of Date.parse and date.toISOString that match the
 *     ECMAScript 5 specification for parsing RFC 3339 dates.
 *     http://tools.ietf.org/html/rfc3339
 */
OpenLayers.Date = {

    /**
     * APIProperty: dateRegEx

## error
Aug 15, 2016 12:25:35 PM org.locationtech.geogig.rest.repository.CommandResource formatUnexpectedException
SEVERE: Unexpected exception : 77b3f585-6e49-45a0-a918-20aff8bd23f8
org.locationtech.geogig.storage.ConfigException: java.io.IOException: No such file or directory
	at org.locationtech.geogig.storage.fs.IniFileConfigDatabase$2.iniFile(IniFileConfigDatabase.java:96)
	at org.locationtech.geogig.storage.fs.INIFile.checkReload(INIFile.java:330)
	at org.locationtech.geogig.storage.fs.INIFile.get(INIFile.java:56)
	at org.locationtech.geogig.storage.fs.IniFileConfigDatabase.getGlobal(IniFileConfigDatabase.java:140)
	at org.locationtech.geogig.storage.bdbje.JEObjectDatabase.newTransaction(JEObjectDatabase.java:887)
	at org.locationtech.geogig.storage.bdbje.JEObjectDatabase.putInternal(JEObjectDatabase.java:628)
	at org.locationtech.geogig.storage.AbstractObjectStore.put(AbstractObjectStore.java:212)

## Boxes Payload
{"type":"FeatureCollection","features":[{"type":"Feature","properties":{"playback":3,"playbackRate":"seconds","interval":1,"intervalRate":"years","title":"Sample Title","description":"Sample Description","start_time":946684800,"end_time":1577836800,"zoom":6,"center":[1766040.0266747456,729122.1624405942],"range":{"start":946684800000,"end":1577836800000},"speed":{"interval":31536000000,"seconds":3},"_offset":0,"_id":1444749022177}}]}
	Use of Hard-coded Credentials - Line 49 is check for bbox, not a credential
	Missing Encryption of Sensitive Data - Test settings are not used in production enviornments
	Cross-site Scripting - I am unable to reproduce the vulnerabilitiy using the documneted attack string
	https://maps.floridadisaster.org/GIS/rest/services/Facilities/Designated_Evacuation_Routes/MapServer/
	https://maps2.dcgis.dc.gov/dcgis/rest/services/DCGIS_DATA/ServiceRequests/MapServer/
	https://idpgis.ncep.noaa.gov/arcgis/services/NWS_Observations/radar_base_reflectivity/MapServer/WMSServer
	https://coast.noaa.gov/arcgis/rest/services/MarineCadastre/OceanUsesCalifornia/MapServer/
	https://idpgis.ncep.noaa.gov/arcgis/services/NWS_Forecasts_Guidance_Warnings/NHC_Atl_trop_cyclones_active/MapServer/WMSServer
	https://maps.cityofmadison.com/arcgis/rest/services/Water_Utility/MWU_Scheduled_Flushing/MapServer/
	https://gis.fema.gov/arcgis/rest/services/NSS/NSS_flex_facilities/MapServer/
	http://services.arcgisonline.com/arcgis/rest/services/Polar/Antarctic_Imagery/MapServer
	http://w20.education.state.mn.us/arcgis/rest/services/DistrictAttendanceBoundaries/MapServer/
	https://idpgis.ncep.noaa.gov/arcgis/rest/services/NOAA/MPA_Inventory_Fishing/MapServer/
	//Add this to map_viwer.html

	<a ng-click="toggleFlightPath(); $event.stopPropagation();">
	<i class="material-icons visible">show_chart</i>
	</a>


	//Add this to viewer.js near line 429
	var FLIGHT_PATH_CONST = true;
	$scope.toggleFlightPath = function (lyr) {
	{
	"nvd3": {
	"tabAppleStocks": [{
	"key": "Apple Stocks",
	"values": [{
	"x": 1,
	"y": 0.5
	}, {
	"x": 2,
	"y": 1.5
	<csw:Transaction xmlns:csw="http://www.opengis.net/cat/csw/2.0.2" xmlns:ows="http://www.opengis.net/ows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opengis.net/cat/csw/2.0.2 http://schemas.opengis.net/csw/2.0.2/CSW-publication.xsd" service="CSW" version="2.0.2" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dct="http://purl.org/dc/terms/" xmlns:registry="http://gis.harvard.edu/HHypermap/registry/0.1" >
	<csw:Insert>
	<csw:Record xmlns:registry="http://gis.harvard.edu/HHypermap/registry/0.1" >
	<dc:identifier>78deee94-abb0-4d55-a589-022c9aa8f83c</dc:identifier>
	<dc:title>American Bullfrog</dc:title>
	<dc:type>dataset</dc:type>
	<dc:format>OGC:WMS</dc:format>
	<dct:modified>2017-05-17</dct:modified>
	<dct:abstract>Jeremiah was a bullfrog</dct:abstract>
	<dc:creator>Boundless</dc:creator>
	/**
	* Namespace: OpenLayers.Date
	* Contains implementations of Date.parse and date.toISOString that match the
	* ECMAScript 5 specification for parsing RFC 3339 dates.
	* http://tools.ietf.org/html/rfc3339
	*/
	OpenLayers.Date = {

	/**
	* APIProperty: dateRegEx
	Aug 15, 2016 12:25:35 PM org.locationtech.geogig.rest.repository.CommandResource formatUnexpectedException
	SEVERE: Unexpected exception : 77b3f585-6e49-45a0-a918-20aff8bd23f8
	org.locationtech.geogig.storage.ConfigException: java.io.IOException: No such file or directory
	at org.locationtech.geogig.storage.fs.IniFileConfigDatabase$2.iniFile(IniFileConfigDatabase.java:96)
	at org.locationtech.geogig.storage.fs.INIFile.checkReload(INIFile.java:330)
	at org.locationtech.geogig.storage.fs.INIFile.get(INIFile.java:56)
	at org.locationtech.geogig.storage.fs.IniFileConfigDatabase.getGlobal(IniFileConfigDatabase.java:140)
	at org.locationtech.geogig.storage.bdbje.JEObjectDatabase.newTransaction(JEObjectDatabase.java:887)
	at org.locationtech.geogig.storage.bdbje.JEObjectDatabase.putInternal(JEObjectDatabase.java:628)
	at org.locationtech.geogig.storage.AbstractObjectStore.put(AbstractObjectStore.java:212)