You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Mei Wang (JIRA)" <ji...@apache.org> on 2015/04/03 08:46:52 UTC

[jira] [Created] (SOLR-7346) Stored XSS in Admin UI Schema-Browser page and Analysis page

Mei Wang created SOLR-7346:
------------------------------

             Summary: Stored XSS in Admin UI Schema-Browser page and Analysis page
                 Key: SOLR-7346
                 URL: https://issues.apache.org/jira/browse/SOLR-7346
             Project: Solr
          Issue Type: Bug
          Components: UI
    Affects Versions: 5.0, 4.10.2
         Environment: linux x86_64
jdk 1.7.0.75
apache tomcat-7.0.57
solr 5.0.0
            Reporter: Mei Wang


Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser page and Analysis page, which was caused by  improper validation of user-supplied input, for example, create fields by Schema API.  When the Schema-Browser page or Analysis page url is clicked,  an XSS will be triggered. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. 
patch for solr5.0.0
solr/webapp/web/js/scripts/schema-browser.js
    --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
+++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
@@ -596,7 +596,7 @@
                     {
                       fields.push
                       (
-                        '<option value="?field=' + field_name + '">' + field_name + '</option>'
+                        '<option value="?field=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                       );
                     }
                     if( 0 !== fields.length )

solr/webapp/web/js/scripts/analysis.js
--- analysis.js 2015-04-03 14:22:34.000000000 +0800
+++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
@@ -80,7 +80,7 @@
               {
                 fields.push
                 (
-                  '<option value="fieldname=' + field_name + '">' + field_name + '</option>'
+                  '<option value="fieldname=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                 );
               }
               if( 0 !== fields.length )



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org