[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16208354#comment-16208354 ] Uwe Schindler commented on SOLR-3419: - This version of Solr is out of maintenance. So there won't be any update. Later versions have a totally different Web UI. > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch, Screen Shot 2017-10-17 at > 3.14.43 PM.png > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16208343#comment-16208343 ] Chris Brockmeier commented on SOLR-3419: There is a code fragment above (Attached) that possibly identifies a solution for this. Are you going to update the product for this? I also attached an Accunetix Web Scan to display the issue. > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch, Screen Shot 2017-10-17 at > 3.14.43 PM.png > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15575505#comment-15575505 ] Shayne Urbanowski commented on SOLR-3419: - I'm not sure that this is only related to the admin UI. My security scanning tool is detecting a vulnerability related to embedding a script tag in the json.wrf, callback, group, facet or _ parameters in Solr API requests. > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14946692#comment-14946692 ] Prafulla Kiran commented on SOLR-3419: -- It most likely isn't. I'm not in a position to verify this. Can someone from SOLR close this ? > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14946754#comment-14946754 ] Upayavira commented on SOLR-3419: - After some digging, I realised that this was referring to the 3.x admin UI, which has long since been replaced. Closing this ticket. > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14945981#comment-14945981 ] Shawn Heisey commented on SOLR-3419: My boss asked me about cross-site vulnerabilities in Solr today. I remembered reading something about some vulnerabilities, so I went looking and found this. This issue is particularly old and the code in 5.x is likely very different. Is this still a problem? > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13689032#comment-13689032 ] Stanislav Stolpovskiy commented on SOLR-3419: - I tried to reproduce this on Solr 3.4 and html characters were automatically escaped in my case. Does it mean that this vulnerability is present only in 3.5 version? XSS vulnerability in the json.wrf parameter --- Key: SOLR-3419 URL: https://issues.apache.org/jira/browse/SOLR-3419 Project: Solr Issue Type: Bug Components: Response Writers Affects Versions: 3.5 Reporter: Prafulla Kiran Priority: Minor There's no filtering of the wrapper function name passed to the solr search service If the name of the wrapper function passed to the solr query service is the following string - %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13632997#comment-13632997 ] James Frank commented on SOLR-3419: --- Just an agreement that this should be resolved and SOLR should be sanitize the json.wrf callback. We are facing an issue where this vulnerability was pulled up in a security scan and we will need to implement external sanitization through a proxy in order to resolve it. This is really something that should be happening internally. XSS vulnerability in the json.wrf parameter --- Key: SOLR-3419 URL: https://issues.apache.org/jira/browse/SOLR-3419 Project: Solr Issue Type: Bug Components: Response Writers Affects Versions: 3.5 Reporter: Prafulla Kiran Priority: Minor There's no filtering of the wrapper function name passed to the solr search service If the name of the wrapper function passed to the solr query service is the following string - %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org