Summary by thomasito
A Server-Side Request Forgery was identified in the NASA WorldWind WMS GetMap endpoint via the SLD parameter. By supplying an SLD URL, the service fetched and processed the URL without validation, issuing outbound HTTP requests to internal addresses (e.g., localhost/127.0.0.1) and external hosts. Error responses from MapServer confirmed port state, service reachability and limited interaction, and path existence, enabling internal network reconnaissance and enumeration.