He can also delete his whole index with a single click on a http link referring to his Solr server. This is his problem. Never click on links from eMail. Solr is, as said already, not secured at all. If you want a "secure" Solr server, rewrite the whole thing. The same applies to other Lucene based products like ElasticSearch that have no "security" included.
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] > -----Original Message----- > From: gregory draperi [mailto:[email protected]] > Sent: Tuesday, June 18, 2013 5:26 PM > To: Uwe Schindler > Cc: general > Subject: Re: XSS Issue > > Hi Uwe, > > Thank you for your quick response. > > I'm a little bit surprised because XSS is not a problem of making solr > accessible > or not to Internet because this a reflected XSS. If an administrator receives > a > mail with a malicious link pointing to the solr administrator interface and > containing a malicious payload he will execute the JavaScript if he clicks on > it. > > There also others techniques that can be used to make an solr administrator > executing this link without his consent (HTML IMG TAG pointing to the solr > administration interface and hosted on a malicious website) and that will > bypass network based protection. > > Regards, > > Grégory DRAPERI > > > 2013/6/18 Uwe Schindler <[email protected]> > > > Hi Grégory, > > > > Solr should be always only listen on private networks, never make it > > accessible to the internet. This is officially documented; for more > > Information about this, see: http://wiki.apache.org/solr/SolrSecurity > > Solr uses HTTP as its programming API and you can do everything Java > > allows via HTTP, but HTTP does not mean it must be open to the > > internet. By opening a Solr server to the internet you are somehow > > wrapping everything Java allows to the internet, so it is not > > recommeneded. Solr also has no security features at all; managing this > > is all up to the front-end, sitting on internet or insecure networks. > > > > There are already some issues open to limit some XSS and similar access: > > https://issues.apache.org/jira/browse/SOLR-4882 > > > > Uwe > > > > ----- > > Uwe Schindler > > H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de > > eMail: [email protected] > > > > > > > -----Original Message----- > > > From: gregory draperi [mailto:[email protected]] > > > Sent: Tuesday, June 18, 2013 3:13 PM > > > To: [email protected] > > > Subject: XSS Issue > > > > > > Dear Solr project members, > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 > > version of > > > Solr. > > > > > > How can I give you more details? > > > > > > Regards, > > > > > > -- > > > Grégory Draperi > > > > > > > -- > Grégory Draperi
