A new patch that addresses security vulnerabilities for ArcGIS for Server has recently been released. The patch may be downloaded here for the relevant versions of ArcGIS Server:
These patches address the following bugs:
NIM092795 - The File Upload Filter for mobile content directories should block an upload of unwanted file types (10.1 SP1 & 10.2)
NIM092820 - The Mobile Content Directory in ArcGIS Server 10.1 SP1 has persistent cross site scripting vulnerabilities. (10.1 SP1 & 10.2)
NIM092841 - Add a configurable property to the ArcGIS token service that disables support for HTTP GET. (10.1 SP1 & 10.2)
NIM094447 - There is a SQL injection vulnerability in map and feature services that allows unauthorized modification of data. (10.1 SP1 & 10.2)
NIM094481 - When StandardizedQueries is True, a map service's query operation ignores the definition expression set on the layer in the source map document when outStatistics gets used. (10.2 only)
NIM092874 - Code passed to ArcGIS Server through a parameterized/injected query results in an un-sanitized response. (10.1 SP1 only)
NIM093858 - The REST API should ignore invalid query parameters. (10.1 SP1 only)
Further information regarding the vulnerabilites addressed by these patches may be found here:
This patch also introduces new functinality for administrators, more information about which can be found here.
Esri UK recommends that all customers install the appropriate patch at their earliest convenience.
Customers should be aware that the above security patch for ArcGIS for Server 10.1 SP1 has been shown to cause replication (when using geodata services) to fail. This has been logged as the following bug:
NIM095900 - The installation of the ArcGIS 10.1 SP1 for Server Security Patch (September 2013) causes the creation and synchronization of replicas to fail when using a geodata service as one of the input geodatabases. The error called is "Synchronize Replica failed Bad syntax request".
Please bare this in mind before installing the security patch.
If you have already installed the security patch and have encountered this issue, the current advise is to uninstall the security patch. A permanant fix is currently being investigated and will be released for this issue in due course.
NB This issue is not though to effect the 10.2 version of the security patch.