Ouch, not to mention the potential for XSS. I'll see if I can get in touch with someone.
Michael Della Bitta ------------------------------------------------ Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017 www.appinions.com Where Influence Isn’t a Game On Wed, Aug 22, 2012 at 3:40 AM, Bernd Fehling <bernd.fehl...@uni-bielefeld.de> wrote: > Now this is very scary, while searching for "solr direct access per docid" I > got a hit > from US Homeland Security Digital Library. Interested in what they have to > tell me > about my search I clicked on the link to the page. First the page had nothing > unusual > about it, but why I get the hit? > http://www.hsdl.org/?collection/stratpol&id=4 > > Inspecting the page source view shows that they have the solr query displayed > direct > on their page as "span" with "style=display:none". > -- snippet -- > <!-- Search Results --> > > <span style="display: none;">*** SOLR Query *** — q=Collection:0 AND > (TabSection:("Congressional hearings and testimony", "Congressional > reports", "Congressional resolutions", "Directives (presidential)", > "Executive orders", "Major Legislation", "Public laws", "Reports (CBO)", > "Reports (CHDS)", "Reports (CRS)",... > ... > AND (Title_nostem:("China Forces Senior Intelligence Officer")^10 > AlternateTitle_nostem:("China Forces Senior Intelligence > Officer")^9)&sort=score > desc&rows=30&start=0&indent=off&facet=on&facet.limit=10000&facet.mincount=1&fl=AlternateTitle_text,Collection,CoverageCountry,CoverageState,Creator_nostem,DateLastModified,DateOfRecordEntry,Description_text,DisplayDate,DocID,ExternalDocId,ExternalDocSource,FileDate,FileExtension,FileSize,FileTitle_text,Format,Language,PublishDate,Publisher_text,Publisher_nostem,ReportNumber,ResourceType,RetrievedFrom,Rights,Subjects,Source,TabSection,Title_text,URL_text,Alternate_URL_text,CreatedBy,ModifiedBy,Notes&wt=phps&facet.field=Creator&facet.field=Format&facet.field=Language&facet.field=Publisher&facet.field=TabSection</span> > -- snippet -- > > As you can see I have searched for "China Forces Senior Intelligence Officer" > so this is directly showing the > query string. > Do they know that there is also a delete by query? > And the are also escape sequences? > > This is what I call scary. > Maybe some of the US fellows can give them a hint and a helping hand. > > Regards > Bernd
