Hi Grégory, Solr should be always only listen on private networks, never make it accessible to the internet. This is officially documented; for more Information about this, see: http://wiki.apache.org/solr/SolrSecurity Solr uses HTTP as its programming API and you can do everything Java allows via HTTP, but HTTP does not mean it must be open to the internet. By opening a Solr server to the internet you are somehow wrapping everything Java allows to the internet, so it is not recommeneded. Solr also has no security features at all; managing this is all up to the front-end, sitting on internet or insecure networks.
There are already some issues open to limit some XSS and similar access: https://issues.apache.org/jira/browse/SOLR-4882 Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] > -----Original Message----- > From: gregory draperi [mailto:[email protected]] > Sent: Tuesday, June 18, 2013 3:13 PM > To: [email protected] > Subject: XSS Issue > > Dear Solr project members, > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 version > of > Solr. > > How can I give you more details? > > Regards, > > -- > Grégory Draperi
