You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Shawn Heisey (JIRA)" <ji...@apache.org> on 2014/02/23 09:09:20 UTC

[jira] [Commented] (SOLR-5742) XSS vulnerability in Solr /admin/debug.jsp

    [ https://issues.apache.org/jira/browse/SOLR-5742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13909709#comment-13909709 ] 

Shawn Heisey commented on SOLR-5742:
------------------------------------

Thank you for your bug report.

If Solr is used as recommended, known and unknown security bugs are very difficult to exploit.  Solr should not be exposed to anyone you cannot fully trust, *especially* the Internet.

As you may already know, the admin UI was entirely rewritten for 4.x.  In 1.x and 3.x, the UI used Java Server Pages, so each page in the UI has a .jsp extension.  The JSP code runs on the server side.

In 4.x, the UI is written in javascript and runs almost entirely in the browser, rather than the server.  All JSP code has been removed from Solr, and the example jetty does not even include the JSP module.

Solr 1.4.1 is the last 1.x version, there will not be another release.  Solr 3.x is in maintenance mode.  This means that only fixes for severe bugs will be committed to that code branch.  Committers are focused on new development for 4.x and trunk, with very little time to work on code that's over a year old and has not given any sign of show-stopper bugs.

So far there are no major Linux distributions that have packages for Solr 4.x, so version 3.6.x is still used quite a bit.  Every now and then I even hear from someone who's still using 1.4.1.

There have already been a number of security fixes applied to the 3.6 code branch, but there has not been any strong motivation to release 3.6.3, especially since upgrading to 4.x is likely to eliminate the problem.


> XSS vulnerability in Solr /admin/debug.jsp
> ------------------------------------------
>
>                 Key: SOLR-5742
>                 URL: https://issues.apache.org/jira/browse/SOLR-5742
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4.1, 3.6.2
>         Environment: Ubuntu 12.04 (x64-64) hosting the example deployment using Jetty
>            Reporter: Ben Lincoln
>
> The debug.jsp file included in the example deployment package for versions 1.4.1 and 3.6.2 contains a reflected cross-site scripting vulnerability in the "handler" URL parameter.
> E.g. http://exampleserver:8983/solr/admin/debug.jsp?handler=<script>alert(1);</script>
> This file appears to have either been removed or disabled with the 4.x releases.
> Unlike SOLR-4305, this is triggered immediately on page load and doesn't have to be triggered as a JavaScript event-handler.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org