[
https://issues.apache.org/jira/browse/SOLR-5742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13909709#comment-13909709
]
Shawn Heisey commented on SOLR-5742:
------------------------------------
Thank you for your bug report.
If Solr is used as recommended, known and unknown security bugs are very
difficult to exploit. Solr should not be exposed to anyone you cannot fully
trust, *especially* the Internet.
As you may already know, the admin UI was entirely rewritten for 4.x. In 1.x
and 3.x, the UI used Java Server Pages, so each page in the UI has a .jsp
extension. The JSP code runs on the server side.
In 4.x, the UI is written in javascript and runs almost entirely in the
browser, rather than the server. All JSP code has been removed from Solr, and
the example jetty does not even include the JSP module.
Solr 1.4.1 is the last 1.x version, there will not be another release. Solr
3.x is in maintenance mode. This means that only fixes for severe bugs will be
committed to that code branch. Committers are focused on new development for
4.x and trunk, with very little time to work on code that's over a year old and
has not given any sign of show-stopper bugs.
So far there are no major Linux distributions that have packages for Solr 4.x,
so version 3.6.x is still used quite a bit. Every now and then I even hear
from someone who's still using 1.4.1.
There have already been a number of security fixes applied to the 3.6 code
branch, but there has not been any strong motivation to release 3.6.3,
especially since upgrading to 4.x is likely to eliminate the problem.
> XSS vulnerability in Solr /admin/debug.jsp
> ------------------------------------------
>
> Key: SOLR-5742
> URL: https://issues.apache.org/jira/browse/SOLR-5742
> Project: Solr
> Issue Type: Bug
> Affects Versions: 1.4.1, 3.6.2
> Environment: Ubuntu 12.04 (x64-64) hosting the example deployment
> using Jetty
> Reporter: Ben Lincoln
>
> The debug.jsp file included in the example deployment package for versions
> 1.4.1 and 3.6.2 contains a reflected cross-site scripting vulnerability in
> the "handler" URL parameter.
> E.g.
> http://exampleserver:8983/solr/admin/debug.jsp?handler=<script>alert(1);</script>
> This file appears to have either been removed or disabled with the 4.x
> releases.
> Unlike SOLR-4305, this is triggered immediately on page load and doesn't have
> to be triggered as a JavaScript event-handler.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
