[
https://issues.apache.org/jira/browse/SOLR-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12675524#action_12675524
]
Peter Wolanin commented on SOLR-1031:
-------------------------------------
To add a little more background - I ran into this bug while doing work on our
Drupal integration module. It's easy to demonstrate, and basically happens if
a script is indexed in an unprocessed or untokenized field (e.g. a string
field) and shows up as one of the top terms on the schema browser page
(schema.jsp) when one goes to examine a particular field.
The risk of allowing such script to execute cold include modification or
deletion of the index, as well as other XSS attacks, and the danger of a small
JS payload is potentially enhanced by the fact that is could probably use
jQuery functions like jQuery.post().
For the Drupal module we are mitigating this risk by using the PHP strip_tags()
function prior to indexing content, but it seems liek this is something Solr
should handle more generally.
I first observed the bug in Solr 1.3, and it's still present in trunk (1.4)
Re-posting Paul's patch with the preferred naming.
> XSS vulnerability in schema.jsp (patch included)
> ------------------------------------------------
>
> Key: SOLR-1031
> URL: https://issues.apache.org/jira/browse/SOLR-1031
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 1.2, 1.3
> Reporter: Paul Lovvik
> Attachments: SchemaXSS.patch, SOLR-1031.patch
>
>
> If javascript is embedded in any of the fields, it is possible for that
> javascript to be executed when viewing the schema.
> The javascript will appear in the "Top Terms" part of the UI.
> I have created a simple patch to prevent this problem from occurring.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
