[
https://issues.apache.org/jira/browse/SOLR-10031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-10031:
-------------------------------
Security: Public (was: Private (Security Issue))
Issue made public now that ANNOUNCEMENT is made and 5.5.4 includes the fix.
> ReplicationHandler path traversal vulnerability
> -----------------------------------------------
>
> Key: SOLR-10031
> URL: https://issues.apache.org/jira/browse/SOLR-10031
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: replication (java)
> Affects Versions: 6.4
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Blocker
> Fix For: 5.5.4, 6.4.1, master (7.0)
>
> Attachments: path_traversal_fix.patch, SOLR-10031_branch5_5.patch,
> SOLR-10031.patch, SOLR-10031.patch, SOLR-10031.patch, SOLR-10031.patch
>
>
> Fra: Mark Thomas <[email protected]>
> Emne: Fwd: Apache Solr - security vulnerability (path traversal attack)
> Dato: 24. januar 2017 kl. 13.14.36 CET
> Til: [email protected]
> Kopi: "[email protected]" <[email protected]>
> Svar til: [email protected]
> Dear Apache Lucene PMC,
> The security vulnerability report has been received by the Apache
> Security Team and is being passed to you for action.
> Please take careful note of the following:
> - This information is private and should be treated accordingly. The
> issue must not be discussed on a public mailing list, it must not be
> added to a public bug tracker, etc.
> - The Lucene PMC is responsible for resolving this issue. The security
> team is here to provide help and advice but the responsibility to do the
> work lies with the Lucene PMC.
> You may find the "ASF Project Security for Committers" [1] a useful
> reference. This e-mail represents step three of that process. Step 4
> should be completed asap.
> Kind regards,
> Mark
> [1] http://www.apache.org/security/committers.html
> -------- Forwarded Message --------
> Subject: Apache Solr - security vulnerability (path traversal attack)
> Date: Mon, 23 Jan 2017 11:27:19 -0800
> From: Hrishikesh Gadre <[email protected]>
> To: [email protected]
> CC: Hrishikesh Gadre <[email protected]>
> Hi,
> We found a path manipulation security vulnerability in Apache Solr after
> running HPE Fortify static code analyzer on the Solr codebase.
> Here is a brief description of this issue,
> - Apache Solr provides a "replication" handler which supports operations
> related to querying the state of an index as well as copying files
> associated with the index.
> https://cwiki.apache.org/confluence/display/solr/Index+Replication
> <https://cwiki.apache.org/confluence/display/solr/Index+Replication>
> This handler supports an HTTP API
> (/replication?command=filecontent&file=<file_name>) which is vulnerable
> to path traversal attack. Specifically, this API does not perform any
> validation of the user specified file_name parameter. This can allow an
> attacker to download *any* file readable to Solr server process even if
> it is not related to the actual Solr index state.
> https://www.owasp.org/index.php/Path_Traversal
> I have verified this with the Solr version 6.3. But I believe this
> vulnerability to be present for much longer (going back to v 4.10.x) . I
> am currently working on the fix. Please let me know the process to
> submit a patch for this.
> Thanks
> Hrishikesh
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
