Hi, I've realised just at work today that an unsecured tomcat server will expose database credentials when solr has been configured to import data with dataimporthandler. We do have basic authentication setup with tomcat to prevent this. But there are quite a few servers out there on which the solr config is publicly viewable. This endpoint also allows to retrieve any files in the conf folder by simple modifying the url. Google dorks already shows several thousand public solr instances easily.
I do realise Solr doesn't concern itself with access control as stated in the wiki page, but I think a general warning message in the admin page if the server is publicly accessible will help. Also, it would be nice if one of the developers can send a passive email to the users list telling them to lock up their solr setup. Thanks, Prasanth P.S. this is my first mail to solr dev list, solr is awesome!
