[jira] [Commented] (SOLR-7346) Stored XSS in Admin UI Schema-Browser page and Analysis page

ASF subversion and git services (JIRA) Mon, 06 Apr 2015 09:51:06 -0700

    [ 
https://issues.apache.org/jira/browse/SOLR-7346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14481414#comment-14481414
 ]


ASF subversion and git services commented on SOLR-7346:
-------------------------------------------------------

Commit 1671580 from [~thelabdude] in branch 'dev/trunk'
[ https://svn.apache.org/r1671580 ]

SOLR-7346: Stored XSS in Admin UI Schema-Browser page and Analysis page

> Stored XSS in Admin UI Schema-Browser page and Analysis page
> ------------------------------------------------------------
>
>                 Key: SOLR-7346
>                 URL: https://issues.apache.org/jira/browse/SOLR-7346
>             Project: Solr
>          Issue Type: Bug
>          Components: UI
>    Affects Versions: 4.10.2, 5.0
>         Environment: linux x86_64
> jdk 1.7.0.75
> apache tomcat-7.0.57
> solr 5.0.0
>            Reporter: Mei Wang
>              Labels: patch, security
>   Original Estimate: 96h
>  Remaining Estimate: 96h
>
> Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser 
> page and Analysis page, which was caused by  improper validation of 
> user-supplied input, for example, create fields by Schema API.  When the 
> Schema-Browser page or Analysis page url is clicked,  an XSS will be 
> triggered. An attacker could use this vulnerability to steal the victim's 
> cookie-based authentication credentials. 
> patch for solr5.0.0
> {noformat}
> solr/webapp/web/js/scripts/schema-browser.js
>     --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
> +++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
> @@ -596,7 +596,7 @@
>                      {
>                        fields.push
>                        (
> -                        '<option value="?field=' + field_name + '">' + 
> field_name + '</option>'
> +                        '<option value="?field=' + field_name.esc() + '">' + 
> field_name.esc() + '</option>'
>                        );
>                      }
>                      if( 0 !== fields.length )
> solr/webapp/web/js/scripts/analysis.js
> --- analysis.js 2015-04-03 14:22:34.000000000 +0800
> +++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
> @@ -80,7 +80,7 @@
>                {
>                  fields.push
>                  (
> -                  '<option value="fieldname=' + field_name + '">' + 
> field_name + '</option>'
> +                  '<option value="fieldname=' + field_name.esc() + '">' + 
> field_name.esc() + '</option>'
>                  );
>                }
>                if( 0 !== fields.length )
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (SOLR-7346) Stored XSS in Admin UI Schema-Browser page and Analysis page

Reply via email to