Yes, it works because it exploits a CSRF issue and in my opinion it should also be fixed like XSS vulnerabilities in the application.
I think we don't understand each other. I'm going to send details to the private mailing list and I won't waste your time more. Regards, 2013/6/18 Uwe Schindler <[email protected]> > Have fun with this web page: > > http://www.thetaphi.de/nukeyoursolrindex.html > > It really works, if you have a default Solr instance running on your local > machine on default port with default collection, and you open this web page > -> this nukes your index. This has nothing to do with the Admin interface. > > Uwe > > ----- > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: [email protected] > > > > -----Original Message----- > > From: gregory draperi [mailto:[email protected]] > > Sent: Tuesday, June 18, 2013 6:27 PM > > To: general > > Subject: Re: XSS Issue > > > > This is a Cross-Site Request Forgery issue (not a XSS) and should be > fixed by > > example by adding an impredictible parameter to the request. > > > > I'm going to send to [email protected] what I have found. > > > > Best regards, > > > > Grégory > > > > 2013/6/18 Uwe Schindler <[email protected]> > > > > > Just to show this without the admin interface: Add these two images to > > > any web page like this: > > > > > > <img src=" > > > > > http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%3E > > %3Cquery%3E*:*%3C/query%3E%3C/delete%3E" > > > /> > > > <img src=" > > > > > http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/%3 > > E" > > > /> > > > > > > Anybody who visits this web page would nuke the index of his running > > > solr server on the local machine - there is not even the admin web > > > interface involved. Any REST API on earth has this problem, it is not > > > specific to Solr! > > > > > > Uwe > > > > > > ----- > > > Uwe Schindler > > > H.-H.-Meier-Allee 63, D-28213 Bremen > > > http://www.thetaphi.de > > > eMail: [email protected] > > > > > > > > > > -----Original Message----- > > > > From: Uwe Schindler [mailto:[email protected]] > > > > Sent: Tuesday, June 18, 2013 6:01 PM > > > > To: [email protected] > > > > Cc: 'gregory draperi' > > > > Subject: RE: XSS Issue > > > > > > > > Hi, > > > > > > > > you can of course send your investigation to > > > > [email protected], > > > we > > > > greatly appreciate this. > > > > An XSS problem in the Solr Admin interface can for sure be solved > > > somehow, > > > > but would not help to make Solr secure. Without the admin interface > > > > you > > > can > > > > still add some image into any web page that executes a "delete whole > > > index > > > > request" on the Solr server. > > > > > > > > If you want to prevent this, you can add HTTP basic authentication > > > > to > > > your > > > > web container, as described in the solr wiki. > > > > > > > > In general: If you have e.g. an EC2 coud of solr servers, add an > > > > extra > > > security > > > > group to your cloud and limit all access from outside. Then also no > > > admin can > > > > access this. > > > > > > > > ----- > > > > Uwe Schindler > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > > > > eMail: [email protected] > > > > > > > > > > > > > -----Original Message----- > > > > > From: gregory draperi [mailto:[email protected]] > > > > > Sent: Tuesday, June 18, 2013 5:46 PM > > > > > To: Uwe Schindler > > > > > Cc: general > > > > > Subject: Re: XSS Issue > > > > > > > > > > Yes he can do that but as I said the same problem can occur without > > > > > his consent (and without a click) if he's on an arbitrary website > > > > > which hosts a HTML IMG pointing to the vulnerable page of the solr > > > > > administrator interface (like <IMG > > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> ) > > > > > > > > > > I'm thankful for your quick responses despite I don't understand > this > > > > > philosophy. I note the point. > > > > > > > > > > Regards, > > > > > > > > > > Grégory DRAPERI > > > > > > > > > > > > > > > 2013/6/18 Uwe Schindler <[email protected]> > > > > > > > > > > > He can also delete his whole index with a single click on a http > > > > > > link referring to his Solr server. This is his problem. Never > click > > > > > > on links from eMail. > > > > > > Solr is, as said already, not secured at all. If you want a > "secure" > > > > > > Solr server, rewrite the whole thing. The same applies to other > > > > > > Lucene based products like ElasticSearch that have no "security" > > > included. > > > > > > > > > > > > ----- > > > > > > Uwe Schindler > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > > > > > > eMail: [email protected] > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: gregory draperi [mailto:[email protected]] > > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM > > > > > > > To: Uwe Schindler > > > > > > > Cc: general > > > > > > > Subject: Re: XSS Issue > > > > > > > > > > > > > > Hi Uwe, > > > > > > > > > > > > > > Thank you for your quick response. > > > > > > > > > > > > > > I'm a little bit surprised because XSS is not a problem of > making > > > > > > > solr > > > > > > accessible > > > > > > > or not to Internet because this a reflected XSS. If an > > > administrator > > > > > > receives a > > > > > > > mail with a malicious link pointing to the solr administrator > > > > > > > interface > > > > > > and > > > > > > > containing a malicious payload he will execute the JavaScript > if he > > > > > > clicks on it. > > > > > > > > > > > > > > There also others techniques that can be used to make an solr > > > > > > administrator > > > > > > > executing this link without his consent (HTML IMG TAG pointing > to > > > > > > > the > > > > > > solr > > > > > > > administration interface and hosted on a malicious website) > and > > > > > > > that > > > > > > will > > > > > > > bypass network based protection. > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > Grégory DRAPERI > > > > > > > > > > > > > > > > > > > > > 2013/6/18 Uwe Schindler <[email protected]> > > > > > > > > > > > > > > > Hi Grégory, > > > > > > > > > > > > > > > > Solr should be always only listen on private networks, never > make > > > > > > > > it accessible to the internet. This is officially > documented; for > > > > > > > > more Information about this, see: > > > > > > > > http://wiki.apache.org/solr/SolrSecurity > > > > > > > > Solr uses HTTP as its programming API and you can do > everything > > > > > > > > Java allows via HTTP, but HTTP does not mean it must be open > to > > > > > > > > the internet. By opening a Solr server to the internet you > are > > > > > > > > somehow wrapping everything Java allows to the internet, so > it is > > > > > > > > not recommeneded. Solr also has no security features at all; > > > > > > > > managing this is all up to the front-end, sitting on > internet or > > > insecure > > > > > networks. > > > > > > > > > > > > > > > > There are already some issues open to limit some XSS and > similar > > > > > > access: > > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882 > > > > > > > > > > > > > > > > Uwe > > > > > > > > > > > > > > > > ----- > > > > > > > > Uwe Schindler > > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > > > > > > > > eMail: [email protected] > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: gregory draperi [mailto:[email protected]] > > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM > > > > > > > > > To: [email protected] > > > > > > > > > Subject: XSS Issue > > > > > > > > > > > > > > > > > > Dear Solr project members, > > > > > > > > > > > > > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in > the > > > 3.6.2 > > > > > > > > version of > > > > > > > > > Solr. > > > > > > > > > > > > > > > > > > How can I give you more details? > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Grégory Draperi > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Grégory Draperi > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Grégory Draperi > > > > > > > > > > > > -- > > Grégory Draperi > > -- Grégory Draperi
