Yes he can do that but as I said the same problem can occur without his consent (and without a click) if he's on an arbitrary website which hosts a HTML IMG pointing to the vulnerable page of the solr administrator interface (like <IMG src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
I'm thankful for your quick responses despite I don't understand this philosophy. I note the point. Regards, Grégory DRAPERI 2013/6/18 Uwe Schindler <[email protected]> > He can also delete his whole index with a single click on a http link > referring to his Solr server. This is his problem. Never click on links > from eMail. > Solr is, as said already, not secured at all. If you want a "secure" Solr > server, rewrite the whole thing. The same applies to other Lucene based > products like ElasticSearch that have no "security" included. > > ----- > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: [email protected] > > > > -----Original Message----- > > From: gregory draperi [mailto:[email protected]] > > Sent: Tuesday, June 18, 2013 5:26 PM > > To: Uwe Schindler > > Cc: general > > Subject: Re: XSS Issue > > > > Hi Uwe, > > > > Thank you for your quick response. > > > > I'm a little bit surprised because XSS is not a problem of making solr > accessible > > or not to Internet because this a reflected XSS. If an administrator > receives a > > mail with a malicious link pointing to the solr administrator interface > and > > containing a malicious payload he will execute the JavaScript if he > clicks on it. > > > > There also others techniques that can be used to make an solr > administrator > > executing this link without his consent (HTML IMG TAG pointing to the > solr > > administration interface and hosted on a malicious website) and that > will > > bypass network based protection. > > > > Regards, > > > > Grégory DRAPERI > > > > > > 2013/6/18 Uwe Schindler <[email protected]> > > > > > Hi Grégory, > > > > > > Solr should be always only listen on private networks, never make it > > > accessible to the internet. This is officially documented; for more > > > Information about this, see: http://wiki.apache.org/solr/SolrSecurity > > > Solr uses HTTP as its programming API and you can do everything Java > > > allows via HTTP, but HTTP does not mean it must be open to the > > > internet. By opening a Solr server to the internet you are somehow > > > wrapping everything Java allows to the internet, so it is not > > > recommeneded. Solr also has no security features at all; managing this > > > is all up to the front-end, sitting on internet or insecure networks. > > > > > > There are already some issues open to limit some XSS and similar > access: > > > https://issues.apache.org/jira/browse/SOLR-4882 > > > > > > Uwe > > > > > > ----- > > > Uwe Schindler > > > H.-H.-Meier-Allee 63, D-28213 Bremen > > > http://www.thetaphi.de > > > eMail: [email protected] > > > > > > > > > > -----Original Message----- > > > > From: gregory draperi [mailto:[email protected]] > > > > Sent: Tuesday, June 18, 2013 3:13 PM > > > > To: [email protected] > > > > Subject: XSS Issue > > > > > > > > Dear Solr project members, > > > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 > > > version of > > > > Solr. > > > > > > > > How can I give you more details? > > > > > > > > Regards, > > > > > > > > -- > > > > Grégory Draperi > > > > > > > > > > > > -- > > Grégory Draperi > > -- Grégory Draperi
