Prafulla Kiran created SOLR-3419:
------------------------------------
Summary: XSS vulnerability in the json.wrf parameter
Key: SOLR-3419
URL: https://issues.apache.org/jira/browse/SOLR-3419
Project: Solr
Issue Type: Bug
Components: Response Writers
Affects Versions: 3.5
Reporter: Prafulla Kiran
Priority: Minor
There's no filtering of the wrapper function name passed to the solr search
service
If the name of the wrapper function passed to the solr query service is the
following string -
%3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E
solr passes the string back as-is which results in an XSS attack in browsers
like IE-7 which perform mime-sniffing. In any case, the callback function in a
jsonp response should always be sanitized -
http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
