You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Mei Wang (JIRA)" <ji...@apache.org> on 2015/04/03 08:46:52 UTC
[jira] [Created] (SOLR-7346) Stored XSS in Admin UI Schema-Browser
page and Analysis page
Mei Wang created SOLR-7346:
------------------------------
Summary: Stored XSS in Admin UI Schema-Browser page and Analysis page
Key: SOLR-7346
URL: https://issues.apache.org/jira/browse/SOLR-7346
Project: Solr
Issue Type: Bug
Components: UI
Affects Versions: 5.0, 4.10.2
Environment: linux x86_64
jdk 1.7.0.75
apache tomcat-7.0.57
solr 5.0.0
Reporter: Mei Wang
Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser page and Analysis page, which was caused by improper validation of user-supplied input, for example, create fields by Schema API. When the Schema-Browser page or Analysis page url is clicked, an XSS will be triggered. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
patch for solr5.0.0
solr/webapp/web/js/scripts/schema-browser.js
--- schema-browser.js 2015-04-03 14:42:19.000000000 +0800
+++ schema-browser_patch.js 2015-04-03 14:42:59.000000000 +0800
@@ -596,7 +596,7 @@
{
fields.push
(
- '<option value="?field=' + field_name + '">' + field_name + '</option>'
+ '<option value="?field=' + field_name.esc() + '">' + field_name.esc() + '</option>'
);
}
if( 0 !== fields.length )
solr/webapp/web/js/scripts/analysis.js
--- analysis.js 2015-04-03 14:22:34.000000000 +0800
+++ analysis_patch.js 2015-04-03 14:23:09.000000000 +0800
@@ -80,7 +80,7 @@
{
fields.push
(
- '<option value="fieldname=' + field_name + '">' + field_name + '</option>'
+ '<option value="fieldname=' + field_name.esc() + '">' + field_name.esc() + '</option>'
);
}
if( 0 !== fields.length )
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org