[
https://issues.apache.org/jira/browse/SOLR-8308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014218#comment-15014218
]
Erik Hatcher commented on SOLR-8308:
------------------------------------
Using a clean branch_5x checkout, I'm using these steps to reproduce:
{code}
$ bin/solr start
$ tail -f server/logs/solr.log &
$ bin/solr create -c foo
$ curl
"http://localhost:8983/solr/admin/cores?wt=json&indexInfo=false&action=RENAME&core=foo&other=%3Csvg+onload%3Dalert(1)%3E"
{"responseHeader":{"status":0,"QTime":1}}
{code}
The rename worked, and is logged as:
{code}
2015-11-19 19:20:24.521 INFO (qtp434176574-42) [ ] o.a.s.c.CoreContainer
registering core: <svg onload=alert(1)>
2015-11-19 19:20:24.522 INFO (qtp434176574-42) [ ]
o.a.s.s.SolrDispatchFilter [admin] webapp=null path=/admin/cores
params={core=foo&other=<svg+onload%3Dalert(1)>&indexInfo=false&action=RENAME&wt=json}
status=0 QTime=1
{code}
And is reported fine in the /admin/cores?wt=json&indent=on:
{code}
"status":{
"<svg onload=alert(1)>":{
"name":"<svg onload=alert(1)>",
{code}
It wasn't able to /select on that renamed core though, but maybe there's some
funky URL escaping that can be done to achieve even that?
In the default admin UI (the "old" one), the renamed core is not really
selectable (it appears as a grey rectangle but otherwise seemingly inactive).
Clicking over to the "New UI" with the top-right link, navigating to Core Admin
I see the silly named core just fine, it's selectable and seems to otherwise
work fine core-admin-ui-wise.
In neither old or new admin UI's did I get the alert (though does it work that
way on an svg tag?) or seem to have problems other than not being able to get a
URL to /select to work. No doubt we shouldn't allow such "non-identifier"-like
names, but I'm not seeing an XSS vulnerability per se.
How can the XSS vulnerability be demonstrated? Or maybe/hopefully it's just an
annoyance that the core is no longer really addressable?
> XSS vulnerability
> -----------------
>
> Key: SOLR-8308
> URL: https://issues.apache.org/jira/browse/SOLR-8308
> Project: Solr
> Issue Type: Bug
> Reporter: Adam Johnson
>
> You can rename a core using the following modified URL
> https://SOLR:PORT/solr/admin/cores?wt=json&indexInfo=false&action=RENAME&core=test_app_shared2_replica2&other=%3Csvg+onload%3Dalert(1)%3E&_=1445468005152.
> The core becomes inaccessible / unusable. There should be more form
> validation to the core name assignment
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
