[jira] [Updated] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chris Brockmeier updated SOLR-3419: --- Attachment: Screen Shot 2017-10-17 at 3.14.43 PM.png > XSS vulnerability in the json.wrf parameter > --- > > Key: SOLR-3419 > URL: https://issues.apache.org/jira/browse/SOLR-3419 > Project: Solr > Issue Type: Bug > Components: Response Writers >Affects Versions: 3.5 >Reporter: Prafulla Kiran >Priority: Minor > Attachments: SOLR-3419-escape.patch, Screen Shot 2017-10-17 at > 3.14.43 PM.png > > > There's no filtering of the wrapper function name passed to the solr search > service > If the name of the wrapper function passed to the solr query service is the > following string - > %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E > solr passes the string back as-is which results in an XSS attack in browsers > like IE-7 which perform mime-sniffing. In any case, the callback function in > a jsonp response should always be sanitized - > http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-3419) XSS vulnerability in the json.wrf parameter
[ https://issues.apache.org/jira/browse/SOLR-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ryan McKinley updated SOLR-3419: Attachment: SOLR-3419-escape.patch seems like this can not hurt XSS vulnerability in the json.wrf parameter --- Key: SOLR-3419 URL: https://issues.apache.org/jira/browse/SOLR-3419 Project: Solr Issue Type: Bug Components: Response Writers Affects Versions: 3.5 Reporter: Prafulla Kiran Priority: Minor Attachments: SOLR-3419-escape.patch There's no filtering of the wrapper function name passed to the solr search service If the name of the wrapper function passed to the solr query service is the following string - %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org