[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14946692#comment-14946692 ] Prafulla Kiran commented on SOLR-3419: -- It most likely isn't. I'm not in a position to verify this. Can someone from SOLR close this ? > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Created] (SOLR-3419) XSS vulnerability in the json.wrf parameter
Prafulla Kiran created SOLR-3419: Summary: XSS vulnerability in the json.wrf parameter Key: SOLR-3419 URL: https://issues.apache.org/jira/browse/SOLR-3419 Project: Solr Issue Type: Bug Components: Response Writers Affects Versions: 3.5 Reporter: Prafulla Kiran Priority: Minor There's no filtering of the wrapper function name passed to the solr search service If the name of the wrapper function passed to the solr query service is the following string - %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
