You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@lucene.apache.org by gregory draperi <gr...@gmail.com> on 2013/06/18 15:13:09 UTC
XSS Issue
Dear Solr project members,
I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
version of Solr.
How can I give you more details?
Regards,
--
Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi,
I already said that you should report your issue to private@lucene.apache.org
The thing I wanted to say is: Everything in Solr is insecure by default, an additional XSS or whatever XFOOBAR does not matter at all because Solr should only run on a completely secured private network. So any issue like this has no great impact at all.
The main issue of triggering stateful GET requests can only be fixed by redesigning Solr's public and documented APIs. This is impossible for bug fix releases, also major releases need to keep backwards, so fixing all issues that involve triggering stateful GET requests to the public API (through whatever mechanism) is far out
> XSS is a large more problem than CSRF because you can execute JavaScript
> code on the user browser that can lead to a compromission.
In your original report you were telling about XSS and also in the same email the IMG-based links a user may get with his email. I was solely referring to the latter ones - which are unfixable without changing the REST API.
You were also referring to:
> Yes he can do that but as I said the same problem can occur without his consent (and without a click)
> if he's on an arbitrary website which hosts a HTML IMG pointing to the vulnerable page of the solr
> administrator interface (like <IMG src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
This is again not related to XSS at all!
I was telling you to report the XSS to the above mail address, you did not do that until now, so I assume you were only talking about similar things like the funny web page I was referring to.
Finally: The XSS issues are low priority, because the admin web interface of Solr should never ever be in a network where you have access from browsers that have access to the internet. This is why I referred to SolrSecurity Wiki page.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 11:04 PM
> To: general
> Subject: Re: XSS Issue
>
> I speak about XSS not CSRF.
>
> The way to fix XSS is to encode tainted data like user's inputs.
>
> For the CSRF problem there are techniques to prevent them in REST API (cf
> OWASP or NSA document) but I understand that it may not be done due to
> impacts http://fr.slideshare.net/johnwilander/advanced-csrf-and-stateless-
> anticsrf
> http://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf
>
> XSS is a large more problem than CSRF because you can execute JavaScript
> code on the user browser that can lead to a compromission.
>
>
>
>
> 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
>
> > The issue from the webpage I posted cannot be fixed because it would
> > break all clients out there, because the REST API is the official API
> > to Solr implemented by millions of clients... This is what I mean
> > with: Reinvent Solr to fix this.
> > The issue here is that it allows GET requests to modify the index. But
> > as said before, it is unfixable unless you want to break all client
> > software outside.
> >
> > If you want to prevent this, use e.g. ElasticSearch, which has a
> > better, standards conform-designed REST API (which does not allow GET
> > requests to modify anything).
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 6:43 PM
> > > To: general
> > > Subject: Re: XSS Issue
> > >
> > > Yes, it works because it exploits a CSRF issue and in my opinion it
> > should also
> > > be fixed like XSS vulnerabilities in the application.
> > >
> > > I think we don't understand each other.
> > >
> > > I'm going to send details to the private mailing list and I won't
> > > waste
> > your
> > > time more.
> > >
> > > Regards,
> > >
> > >
> > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > >
> > > > Have fun with this web page:
> > > >
> > > > http://www.thetaphi.de/nukeyoursolrindex.html
> > > >
> > > > It really works, if you have a default Solr instance running on
> > > > your local machine on default port with default collection, and
> > > > you open this web page
> > > > -> this nukes your index. This has nothing to do with the Admin
> > interface.
> > > >
> > > > Uwe
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > Sent: Tuesday, June 18, 2013 6:27 PM
> > > > > To: general
> > > > > Subject: Re: XSS Issue
> > > > >
> > > > > This is a Cross-Site Request Forgery issue (not a XSS) and should be
> > > > fixed by
> > > > > example by adding an impredictible parameter to the request.
> > > > >
> > > > > I'm going to send to private@lucene.apache.org what I have found.
> > > > >
> > > > > Best regards,
> > > > >
> > > > > Grégory
> > > > >
> > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > >
> > > > > > Just to show this without the admin interface: Add these two
> > > > > > images to any web page like this:
> > > > > >
> > > > > > <img src="
> > > > > >
> > > > >
> http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%
> > > > > 3E %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > > > > > />
> > > > > > <img src="
> > > > > >
> > > > >
> http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/
> > > > > %3
> > > > > E"
> > > > > > />
> > > > > >
> > > > > > Anybody who visits this web page would nuke the index of his
> > > > > > running solr server on the local machine - there is not even the
> > > > > > admin web interface involved. Any REST API on earth has this
> > > > > > problem, it is not specific to Solr!
> > > > > >
> > > > > > Uwe
> > > > > >
> > > > > > -----
> > > > > > Uwe Schindler
> > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > eMail: uwe@thetaphi.de
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > > > > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > > > > > To: general@lucene.apache.org
> > > > > > > Cc: 'gregory draperi'
> > > > > > > Subject: RE: XSS Issue
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > you can of course send your investigation to
> > > > > > > private@lucene.apache.org,
> > > > > > we
> > > > > > > greatly appreciate this.
> > > > > > > An XSS problem in the Solr Admin interface can for sure be solved
> > > > > > somehow,
> > > > > > > but would not help to make Solr secure. Without the admin
> > interface
> > > > > > > you
> > > > > > can
> > > > > > > still add some image into any web page that executes a "delete
> > whole
> > > > > > index
> > > > > > > request" on the Solr server.
> > > > > > >
> > > > > > > If you want to prevent this, you can add HTTP basic
> > authentication
> > > > > > > to
> > > > > > your
> > > > > > > web container, as described in the solr wiki.
> > > > > > >
> > > > > > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > > > > > extra
> > > > > > security
> > > > > > > group to your cloud and limit all access from outside. Then also
> > no
> > > > > > admin can
> > > > > > > access this.
> > > > > > >
> > > > > > > -----
> > > > > > > Uwe Schindler
> > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > eMail: uwe@thetaphi.de
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > > > > > To: Uwe Schindler
> > > > > > > > Cc: general
> > > > > > > > Subject: Re: XSS Issue
> > > > > > > >
> > > > > > > > Yes he can do that but as I said the same problem can occur
> > without
> > > > > > > > his consent (and without a click) if he's on an arbitrary
> > website
> > > > > > > > which hosts a HTML IMG pointing to the vulnerable page of the
> > solr
> > > > > > > > administrator interface (like <IMG
> > > > > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > > > > > >
> > > > > > > > I'm thankful for your quick responses despite I don't
> > understand
> > > > this
> > > > > > > > philosophy. I note the point.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Grégory DRAPERI
> > > > > > > >
> > > > > > > >
> > > > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > > > >
> > > > > > > > > He can also delete his whole index with a single click on a
> > http
> > > > > > > > > link referring to his Solr server. This is his problem. Never
> > > > click
> > > > > > > > > on links from eMail.
> > > > > > > > > Solr is, as said already, not secured at all. If you want a
> > > > "secure"
> > > > > > > > > Solr server, rewrite the whole thing. The same applies to
> > other
> > > > > > > > > Lucene based products like ElasticSearch that have no
> > "security"
> > > > > > included.
> > > > > > > > >
> > > > > > > > > -----
> > > > > > > > > Uwe Schindler
> > > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> > > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > > > > > To: Uwe Schindler
> > > > > > > > > > Cc: general
> > > > > > > > > > Subject: Re: XSS Issue
> > > > > > > > > >
> > > > > > > > > > Hi Uwe,
> > > > > > > > > >
> > > > > > > > > > Thank you for your quick response.
> > > > > > > > > >
> > > > > > > > > > I'm a little bit surprised because XSS is not a problem of
> > > > making
> > > > > > > > > > solr
> > > > > > > > > accessible
> > > > > > > > > > or not to Internet because this a reflected XSS. If an
> > > > > > administrator
> > > > > > > > > receives a
> > > > > > > > > > mail with a malicious link pointing to the solr
> > administrator
> > > > > > > > > > interface
> > > > > > > > > and
> > > > > > > > > > containing a malicious payload he will execute the
> > JavaScript
> > > > if he
> > > > > > > > > clicks on it.
> > > > > > > > > >
> > > > > > > > > > There also others techniques that can be used to make an
> > solr
> > > > > > > > > administrator
> > > > > > > > > > executing this link without his consent (HTML IMG TAG
> > pointing
> > > > to
> > > > > > > > > > the
> > > > > > > > > solr
> > > > > > > > > > administration interface and hosted on a malicious website)
> > > > and
> > > > > > > > > > that
> > > > > > > > > will
> > > > > > > > > > bypass network based protection.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > Grégory DRAPERI
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > > > > > >
> > > > > > > > > > > Hi Grégory,
> > > > > > > > > > >
> > > > > > > > > > > Solr should be always only listen on private networks,
> > never
> > > > make
> > > > > > > > > > > it accessible to the internet. This is officially
> > > > documented; for
> > > > > > > > > > > more Information about this, see:
> > > > > > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > > > > > Solr uses HTTP as its programming API and you can do
> > > > everything
> > > > > > > > > > > Java allows via HTTP, but HTTP does not mean it must be
> > open
> > > > to
> > > > > > > > > > > the internet. By opening a Solr server to the internet
> > you
> > > > are
> > > > > > > > > > > somehow wrapping everything Java allows to the internet,
> > so
> > > > it is
> > > > > > > > > > > not recommeneded. Solr also has no security features at
> > all;
> > > > > > > > > > > managing this is all up to the front-end, sitting on
> > > > internet or
> > > > > > insecure
> > > > > > > > networks.
> > > > > > > > > > >
> > > > > > > > > > > There are already some issues open to limit some XSS and
> > > > similar
> > > > > > > > > access:
> > > > > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > > > > > >
> > > > > > > > > > > Uwe
> > > > > > > > > > >
> > > > > > > > > > > -----
> > > > > > > > > > > Uwe Schindler
> > > > > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > > http://www.thetaphi.de
> > > > > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: gregory draperi [mailto:
> > gregory.draperi@gmail.com]
> > > > > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > > > > > To: general@lucene.apache.org
> > > > > > > > > > > > Subject: XSS Issue
> > > > > > > > > > > >
> > > > > > > > > > > > Dear Solr project members,
> > > > > > > > > > > >
> > > > > > > > > > > > I think I have found a XSS (Cross-Site Scripting)
> > issue in
> > > > the
> > > > > > 3.6.2
> > > > > > > > > > > version of
> > > > > > > > > > > > Solr.
> > > > > > > > > > > >
> > > > > > > > > > > > How can I give you more details?
> > > > > > > > > > > >
> > > > > > > > > > > > Regards,
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Grégory Draperi
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Grégory Draperi
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Grégory Draperi
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Grégory Draperi
> > > >
> > > >
> > >
> > >
> > > --
> > > Grégory Draperi
> >
> >
>
>
> --
> Grégory Draperi
Re: XSS Issue
Posted by gregory draperi <gr...@gmail.com>.
I speak about XSS not CSRF.
The way to fix XSS is to encode tainted data like user's inputs.
For the CSRF problem there are techniques to prevent them in REST API (cf
OWASP or NSA document) but I understand that it may not be done due to
impacts
http://fr.slideshare.net/johnwilander/advanced-csrf-and-stateless-anticsrf
http://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf
XSS is a large more problem than CSRF because you can execute JavaScript
code on the user browser that can lead to a compromission.
2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> The issue from the webpage I posted cannot be fixed because it would break
> all clients out there, because the REST API is the official API to Solr
> implemented by millions of clients... This is what I mean with: Reinvent
> Solr to fix this.
> The issue here is that it allows GET requests to modify the index. But as
> said before, it is unfixable unless you want to break all client software
> outside.
>
> If you want to prevent this, use e.g. ElasticSearch, which has a better,
> standards conform-designed REST API (which does not allow GET requests to
> modify anything).
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 6:43 PM
> > To: general
> > Subject: Re: XSS Issue
> >
> > Yes, it works because it exploits a CSRF issue and in my opinion it
> should also
> > be fixed like XSS vulnerabilities in the application.
> >
> > I think we don't understand each other.
> >
> > I'm going to send details to the private mailing list and I won't waste
> your
> > time more.
> >
> > Regards,
> >
> >
> > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> >
> > > Have fun with this web page:
> > >
> > > http://www.thetaphi.de/nukeyoursolrindex.html
> > >
> > > It really works, if you have a default Solr instance running on your
> > > local machine on default port with default collection, and you open
> > > this web page
> > > -> this nukes your index. This has nothing to do with the Admin
> interface.
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > > http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > Sent: Tuesday, June 18, 2013 6:27 PM
> > > > To: general
> > > > Subject: Re: XSS Issue
> > > >
> > > > This is a Cross-Site Request Forgery issue (not a XSS) and should be
> > > fixed by
> > > > example by adding an impredictible parameter to the request.
> > > >
> > > > I'm going to send to private@lucene.apache.org what I have found.
> > > >
> > > > Best regards,
> > > >
> > > > Grégory
> > > >
> > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > >
> > > > > Just to show this without the admin interface: Add these two
> > > > > images to any web page like this:
> > > > >
> > > > > <img src="
> > > > >
> > > > http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%
> > > > 3E %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > > > > />
> > > > > <img src="
> > > > >
> > > > http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/
> > > > %3
> > > > E"
> > > > > />
> > > > >
> > > > > Anybody who visits this web page would nuke the index of his
> > > > > running solr server on the local machine - there is not even the
> > > > > admin web interface involved. Any REST API on earth has this
> > > > > problem, it is not specific to Solr!
> > > > >
> > > > > Uwe
> > > > >
> > > > > -----
> > > > > Uwe Schindler
> > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > eMail: uwe@thetaphi.de
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > > > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > > > > To: general@lucene.apache.org
> > > > > > Cc: 'gregory draperi'
> > > > > > Subject: RE: XSS Issue
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > you can of course send your investigation to
> > > > > > private@lucene.apache.org,
> > > > > we
> > > > > > greatly appreciate this.
> > > > > > An XSS problem in the Solr Admin interface can for sure be solved
> > > > > somehow,
> > > > > > but would not help to make Solr secure. Without the admin
> interface
> > > > > > you
> > > > > can
> > > > > > still add some image into any web page that executes a "delete
> whole
> > > > > index
> > > > > > request" on the Solr server.
> > > > > >
> > > > > > If you want to prevent this, you can add HTTP basic
> authentication
> > > > > > to
> > > > > your
> > > > > > web container, as described in the solr wiki.
> > > > > >
> > > > > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > > > > extra
> > > > > security
> > > > > > group to your cloud and limit all access from outside. Then also
> no
> > > > > admin can
> > > > > > access this.
> > > > > >
> > > > > > -----
> > > > > > Uwe Schindler
> > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > eMail: uwe@thetaphi.de
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > > > > To: Uwe Schindler
> > > > > > > Cc: general
> > > > > > > Subject: Re: XSS Issue
> > > > > > >
> > > > > > > Yes he can do that but as I said the same problem can occur
> without
> > > > > > > his consent (and without a click) if he's on an arbitrary
> website
> > > > > > > which hosts a HTML IMG pointing to the vulnerable page of the
> solr
> > > > > > > administrator interface (like <IMG
> > > > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > > > > >
> > > > > > > I'm thankful for your quick responses despite I don't
> understand
> > > this
> > > > > > > philosophy. I note the point.
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Grégory DRAPERI
> > > > > > >
> > > > > > >
> > > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > > >
> > > > > > > > He can also delete his whole index with a single click on a
> http
> > > > > > > > link referring to his Solr server. This is his problem. Never
> > > click
> > > > > > > > on links from eMail.
> > > > > > > > Solr is, as said already, not secured at all. If you want a
> > > "secure"
> > > > > > > > Solr server, rewrite the whole thing. The same applies to
> other
> > > > > > > > Lucene based products like ElasticSearch that have no
> "security"
> > > > > included.
> > > > > > > >
> > > > > > > > -----
> > > > > > > > Uwe Schindler
> > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > > > > To: Uwe Schindler
> > > > > > > > > Cc: general
> > > > > > > > > Subject: Re: XSS Issue
> > > > > > > > >
> > > > > > > > > Hi Uwe,
> > > > > > > > >
> > > > > > > > > Thank you for your quick response.
> > > > > > > > >
> > > > > > > > > I'm a little bit surprised because XSS is not a problem of
> > > making
> > > > > > > > > solr
> > > > > > > > accessible
> > > > > > > > > or not to Internet because this a reflected XSS. If an
> > > > > administrator
> > > > > > > > receives a
> > > > > > > > > mail with a malicious link pointing to the solr
> administrator
> > > > > > > > > interface
> > > > > > > > and
> > > > > > > > > containing a malicious payload he will execute the
> JavaScript
> > > if he
> > > > > > > > clicks on it.
> > > > > > > > >
> > > > > > > > > There also others techniques that can be used to make an
> solr
> > > > > > > > administrator
> > > > > > > > > executing this link without his consent (HTML IMG TAG
> pointing
> > > to
> > > > > > > > > the
> > > > > > > > solr
> > > > > > > > > administration interface and hosted on a malicious website)
> > > and
> > > > > > > > > that
> > > > > > > > will
> > > > > > > > > bypass network based protection.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > Grégory DRAPERI
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > > > > >
> > > > > > > > > > Hi Grégory,
> > > > > > > > > >
> > > > > > > > > > Solr should be always only listen on private networks,
> never
> > > make
> > > > > > > > > > it accessible to the internet. This is officially
> > > documented; for
> > > > > > > > > > more Information about this, see:
> > > > > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > > > > Solr uses HTTP as its programming API and you can do
> > > everything
> > > > > > > > > > Java allows via HTTP, but HTTP does not mean it must be
> open
> > > to
> > > > > > > > > > the internet. By opening a Solr server to the internet
> you
> > > are
> > > > > > > > > > somehow wrapping everything Java allows to the internet,
> so
> > > it is
> > > > > > > > > > not recommeneded. Solr also has no security features at
> all;
> > > > > > > > > > managing this is all up to the front-end, sitting on
> > > internet or
> > > > > insecure
> > > > > > > networks.
> > > > > > > > > >
> > > > > > > > > > There are already some issues open to limit some XSS and
> > > similar
> > > > > > > > access:
> > > > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > > > > >
> > > > > > > > > > Uwe
> > > > > > > > > >
> > > > > > > > > > -----
> > > > > > > > > > Uwe Schindler
> > > > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > > > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: gregory draperi [mailto:
> gregory.draperi@gmail.com]
> > > > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > > > > To: general@lucene.apache.org
> > > > > > > > > > > Subject: XSS Issue
> > > > > > > > > > >
> > > > > > > > > > > Dear Solr project members,
> > > > > > > > > > >
> > > > > > > > > > > I think I have found a XSS (Cross-Site Scripting)
> issue in
> > > the
> > > > > 3.6.2
> > > > > > > > > > version of
> > > > > > > > > > > Solr.
> > > > > > > > > > >
> > > > > > > > > > > How can I give you more details?
> > > > > > > > > > >
> > > > > > > > > > > Regards,
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Grégory Draperi
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Grégory Draperi
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Grégory Draperi
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Grégory Draperi
> > >
> > >
> >
> >
> > --
> > Grégory Draperi
>
>
--
Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
The issue from the webpage I posted cannot be fixed because it would break all clients out there, because the REST API is the official API to Solr implemented by millions of clients... This is what I mean with: Reinvent Solr to fix this.
The issue here is that it allows GET requests to modify the index. But as said before, it is unfixable unless you want to break all client software outside.
If you want to prevent this, use e.g. ElasticSearch, which has a better, standards conform-designed REST API (which does not allow GET requests to modify anything).
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 6:43 PM
> To: general
> Subject: Re: XSS Issue
>
> Yes, it works because it exploits a CSRF issue and in my opinion it should also
> be fixed like XSS vulnerabilities in the application.
>
> I think we don't understand each other.
>
> I'm going to send details to the private mailing list and I won't waste your
> time more.
>
> Regards,
>
>
> 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
>
> > Have fun with this web page:
> >
> > http://www.thetaphi.de/nukeyoursolrindex.html
> >
> > It really works, if you have a default Solr instance running on your
> > local machine on default port with default collection, and you open
> > this web page
> > -> this nukes your index. This has nothing to do with the Admin interface.
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 6:27 PM
> > > To: general
> > > Subject: Re: XSS Issue
> > >
> > > This is a Cross-Site Request Forgery issue (not a XSS) and should be
> > fixed by
> > > example by adding an impredictible parameter to the request.
> > >
> > > I'm going to send to private@lucene.apache.org what I have found.
> > >
> > > Best regards,
> > >
> > > Grégory
> > >
> > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > >
> > > > Just to show this without the admin interface: Add these two
> > > > images to any web page like this:
> > > >
> > > > <img src="
> > > >
> > > http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%
> > > 3E %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > > > />
> > > > <img src="
> > > >
> > > http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/
> > > %3
> > > E"
> > > > />
> > > >
> > > > Anybody who visits this web page would nuke the index of his
> > > > running solr server on the local machine - there is not even the
> > > > admin web interface involved. Any REST API on earth has this
> > > > problem, it is not specific to Solr!
> > > >
> > > > Uwe
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > > > To: general@lucene.apache.org
> > > > > Cc: 'gregory draperi'
> > > > > Subject: RE: XSS Issue
> > > > >
> > > > > Hi,
> > > > >
> > > > > you can of course send your investigation to
> > > > > private@lucene.apache.org,
> > > > we
> > > > > greatly appreciate this.
> > > > > An XSS problem in the Solr Admin interface can for sure be solved
> > > > somehow,
> > > > > but would not help to make Solr secure. Without the admin interface
> > > > > you
> > > > can
> > > > > still add some image into any web page that executes a "delete whole
> > > > index
> > > > > request" on the Solr server.
> > > > >
> > > > > If you want to prevent this, you can add HTTP basic authentication
> > > > > to
> > > > your
> > > > > web container, as described in the solr wiki.
> > > > >
> > > > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > > > extra
> > > > security
> > > > > group to your cloud and limit all access from outside. Then also no
> > > > admin can
> > > > > access this.
> > > > >
> > > > > -----
> > > > > Uwe Schindler
> > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > eMail: uwe@thetaphi.de
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > > > To: Uwe Schindler
> > > > > > Cc: general
> > > > > > Subject: Re: XSS Issue
> > > > > >
> > > > > > Yes he can do that but as I said the same problem can occur without
> > > > > > his consent (and without a click) if he's on an arbitrary website
> > > > > > which hosts a HTML IMG pointing to the vulnerable page of the solr
> > > > > > administrator interface (like <IMG
> > > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > > > >
> > > > > > I'm thankful for your quick responses despite I don't understand
> > this
> > > > > > philosophy. I note the point.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Grégory DRAPERI
> > > > > >
> > > > > >
> > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > >
> > > > > > > He can also delete his whole index with a single click on a http
> > > > > > > link referring to his Solr server. This is his problem. Never
> > click
> > > > > > > on links from eMail.
> > > > > > > Solr is, as said already, not secured at all. If you want a
> > "secure"
> > > > > > > Solr server, rewrite the whole thing. The same applies to other
> > > > > > > Lucene based products like ElasticSearch that have no "security"
> > > > included.
> > > > > > >
> > > > > > > -----
> > > > > > > Uwe Schindler
> > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > eMail: uwe@thetaphi.de
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > > > To: Uwe Schindler
> > > > > > > > Cc: general
> > > > > > > > Subject: Re: XSS Issue
> > > > > > > >
> > > > > > > > Hi Uwe,
> > > > > > > >
> > > > > > > > Thank you for your quick response.
> > > > > > > >
> > > > > > > > I'm a little bit surprised because XSS is not a problem of
> > making
> > > > > > > > solr
> > > > > > > accessible
> > > > > > > > or not to Internet because this a reflected XSS. If an
> > > > administrator
> > > > > > > receives a
> > > > > > > > mail with a malicious link pointing to the solr administrator
> > > > > > > > interface
> > > > > > > and
> > > > > > > > containing a malicious payload he will execute the JavaScript
> > if he
> > > > > > > clicks on it.
> > > > > > > >
> > > > > > > > There also others techniques that can be used to make an solr
> > > > > > > administrator
> > > > > > > > executing this link without his consent (HTML IMG TAG pointing
> > to
> > > > > > > > the
> > > > > > > solr
> > > > > > > > administration interface and hosted on a malicious website)
> > and
> > > > > > > > that
> > > > > > > will
> > > > > > > > bypass network based protection.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Grégory DRAPERI
> > > > > > > >
> > > > > > > >
> > > > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > > > >
> > > > > > > > > Hi Grégory,
> > > > > > > > >
> > > > > > > > > Solr should be always only listen on private networks, never
> > make
> > > > > > > > > it accessible to the internet. This is officially
> > documented; for
> > > > > > > > > more Information about this, see:
> > > > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > > > Solr uses HTTP as its programming API and you can do
> > everything
> > > > > > > > > Java allows via HTTP, but HTTP does not mean it must be open
> > to
> > > > > > > > > the internet. By opening a Solr server to the internet you
> > are
> > > > > > > > > somehow wrapping everything Java allows to the internet, so
> > it is
> > > > > > > > > not recommeneded. Solr also has no security features at all;
> > > > > > > > > managing this is all up to the front-end, sitting on
> > internet or
> > > > insecure
> > > > > > networks.
> > > > > > > > >
> > > > > > > > > There are already some issues open to limit some XSS and
> > similar
> > > > > > > access:
> > > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > > > >
> > > > > > > > > Uwe
> > > > > > > > >
> > > > > > > > > -----
> > > > > > > > > Uwe Schindler
> > > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> > > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > > > To: general@lucene.apache.org
> > > > > > > > > > Subject: XSS Issue
> > > > > > > > > >
> > > > > > > > > > Dear Solr project members,
> > > > > > > > > >
> > > > > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in
> > the
> > > > 3.6.2
> > > > > > > > > version of
> > > > > > > > > > Solr.
> > > > > > > > > >
> > > > > > > > > > How can I give you more details?
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Grégory Draperi
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Grégory Draperi
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Grégory Draperi
> > > >
> > > >
> > >
> > >
> > > --
> > > Grégory Draperi
> >
> >
>
>
> --
> Grégory Draperi
Re: XSS Issue
Posted by gregory draperi <gr...@gmail.com>.
Yes, it works because it exploits a CSRF issue and in my opinion it should
also be fixed like XSS vulnerabilities in the application.
I think we don't understand each other.
I'm going to send details to the private mailing list and I won't waste
your time more.
Regards,
2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> Have fun with this web page:
>
> http://www.thetaphi.de/nukeyoursolrindex.html
>
> It really works, if you have a default Solr instance running on your local
> machine on default port with default collection, and you open this web page
> -> this nukes your index. This has nothing to do with the Admin interface.
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 6:27 PM
> > To: general
> > Subject: Re: XSS Issue
> >
> > This is a Cross-Site Request Forgery issue (not a XSS) and should be
> fixed by
> > example by adding an impredictible parameter to the request.
> >
> > I'm going to send to private@lucene.apache.org what I have found.
> >
> > Best regards,
> >
> > Grégory
> >
> > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> >
> > > Just to show this without the admin interface: Add these two images to
> > > any web page like this:
> > >
> > > <img src="
> > >
> > http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%3E
> > %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > > />
> > > <img src="
> > >
> > http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/%3
> > E"
> > > />
> > >
> > > Anybody who visits this web page would nuke the index of his running
> > > solr server on the local machine - there is not even the admin web
> > > interface involved. Any REST API on earth has this problem, it is not
> > > specific to Solr!
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > > http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > > To: general@lucene.apache.org
> > > > Cc: 'gregory draperi'
> > > > Subject: RE: XSS Issue
> > > >
> > > > Hi,
> > > >
> > > > you can of course send your investigation to
> > > > private@lucene.apache.org,
> > > we
> > > > greatly appreciate this.
> > > > An XSS problem in the Solr Admin interface can for sure be solved
> > > somehow,
> > > > but would not help to make Solr secure. Without the admin interface
> > > > you
> > > can
> > > > still add some image into any web page that executes a "delete whole
> > > index
> > > > request" on the Solr server.
> > > >
> > > > If you want to prevent this, you can add HTTP basic authentication
> > > > to
> > > your
> > > > web container, as described in the solr wiki.
> > > >
> > > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > > extra
> > > security
> > > > group to your cloud and limit all access from outside. Then also no
> > > admin can
> > > > access this.
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > > To: Uwe Schindler
> > > > > Cc: general
> > > > > Subject: Re: XSS Issue
> > > > >
> > > > > Yes he can do that but as I said the same problem can occur without
> > > > > his consent (and without a click) if he's on an arbitrary website
> > > > > which hosts a HTML IMG pointing to the vulnerable page of the solr
> > > > > administrator interface (like <IMG
> > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > > >
> > > > > I'm thankful for your quick responses despite I don't understand
> this
> > > > > philosophy. I note the point.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Grégory DRAPERI
> > > > >
> > > > >
> > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > >
> > > > > > He can also delete his whole index with a single click on a http
> > > > > > link referring to his Solr server. This is his problem. Never
> click
> > > > > > on links from eMail.
> > > > > > Solr is, as said already, not secured at all. If you want a
> "secure"
> > > > > > Solr server, rewrite the whole thing. The same applies to other
> > > > > > Lucene based products like ElasticSearch that have no "security"
> > > included.
> > > > > >
> > > > > > -----
> > > > > > Uwe Schindler
> > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > eMail: uwe@thetaphi.de
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > > To: Uwe Schindler
> > > > > > > Cc: general
> > > > > > > Subject: Re: XSS Issue
> > > > > > >
> > > > > > > Hi Uwe,
> > > > > > >
> > > > > > > Thank you for your quick response.
> > > > > > >
> > > > > > > I'm a little bit surprised because XSS is not a problem of
> making
> > > > > > > solr
> > > > > > accessible
> > > > > > > or not to Internet because this a reflected XSS. If an
> > > administrator
> > > > > > receives a
> > > > > > > mail with a malicious link pointing to the solr administrator
> > > > > > > interface
> > > > > > and
> > > > > > > containing a malicious payload he will execute the JavaScript
> if he
> > > > > > clicks on it.
> > > > > > >
> > > > > > > There also others techniques that can be used to make an solr
> > > > > > administrator
> > > > > > > executing this link without his consent (HTML IMG TAG pointing
> to
> > > > > > > the
> > > > > > solr
> > > > > > > administration interface and hosted on a malicious website)
> and
> > > > > > > that
> > > > > > will
> > > > > > > bypass network based protection.
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Grégory DRAPERI
> > > > > > >
> > > > > > >
> > > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > > >
> > > > > > > > Hi Grégory,
> > > > > > > >
> > > > > > > > Solr should be always only listen on private networks, never
> make
> > > > > > > > it accessible to the internet. This is officially
> documented; for
> > > > > > > > more Information about this, see:
> > > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > > Solr uses HTTP as its programming API and you can do
> everything
> > > > > > > > Java allows via HTTP, but HTTP does not mean it must be open
> to
> > > > > > > > the internet. By opening a Solr server to the internet you
> are
> > > > > > > > somehow wrapping everything Java allows to the internet, so
> it is
> > > > > > > > not recommeneded. Solr also has no security features at all;
> > > > > > > > managing this is all up to the front-end, sitting on
> internet or
> > > insecure
> > > > > networks.
> > > > > > > >
> > > > > > > > There are already some issues open to limit some XSS and
> similar
> > > > > > access:
> > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > > >
> > > > > > > > Uwe
> > > > > > > >
> > > > > > > > -----
> > > > > > > > Uwe Schindler
> > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > > To: general@lucene.apache.org
> > > > > > > > > Subject: XSS Issue
> > > > > > > > >
> > > > > > > > > Dear Solr project members,
> > > > > > > > >
> > > > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in
> the
> > > 3.6.2
> > > > > > > > version of
> > > > > > > > > Solr.
> > > > > > > > >
> > > > > > > > > How can I give you more details?
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Grégory Draperi
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Grégory Draperi
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Grégory Draperi
> > >
> > >
> >
> >
> > --
> > Grégory Draperi
>
>
--
Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
Have fun with this web page:
http://www.thetaphi.de/nukeyoursolrindex.html
It really works, if you have a default Solr instance running on your local machine on default port with default collection, and you open this web page -> this nukes your index. This has nothing to do with the Admin interface.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 6:27 PM
> To: general
> Subject: Re: XSS Issue
>
> This is a Cross-Site Request Forgery issue (not a XSS) and should be fixed by
> example by adding an impredictible parameter to the request.
>
> I'm going to send to private@lucene.apache.org what I have found.
>
> Best regards,
>
> Grégory
>
> 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
>
> > Just to show this without the admin interface: Add these two images to
> > any web page like this:
> >
> > <img src="
> >
> http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%3E
> %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > />
> > <img src="
> >
> http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/%3
> E"
> > />
> >
> > Anybody who visits this web page would nuke the index of his running
> > solr server on the local machine - there is not even the admin web
> > interface involved. Any REST API on earth has this problem, it is not
> > specific to Solr!
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > To: general@lucene.apache.org
> > > Cc: 'gregory draperi'
> > > Subject: RE: XSS Issue
> > >
> > > Hi,
> > >
> > > you can of course send your investigation to
> > > private@lucene.apache.org,
> > we
> > > greatly appreciate this.
> > > An XSS problem in the Solr Admin interface can for sure be solved
> > somehow,
> > > but would not help to make Solr secure. Without the admin interface
> > > you
> > can
> > > still add some image into any web page that executes a "delete whole
> > index
> > > request" on the Solr server.
> > >
> > > If you want to prevent this, you can add HTTP basic authentication
> > > to
> > your
> > > web container, as described in the solr wiki.
> > >
> > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > extra
> > security
> > > group to your cloud and limit all access from outside. Then also no
> > admin can
> > > access this.
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > To: Uwe Schindler
> > > > Cc: general
> > > > Subject: Re: XSS Issue
> > > >
> > > > Yes he can do that but as I said the same problem can occur without
> > > > his consent (and without a click) if he's on an arbitrary website
> > > > which hosts a HTML IMG pointing to the vulnerable page of the solr
> > > > administrator interface (like <IMG
> > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > >
> > > > I'm thankful for your quick responses despite I don't understand this
> > > > philosophy. I note the point.
> > > >
> > > > Regards,
> > > >
> > > > Grégory DRAPERI
> > > >
> > > >
> > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > >
> > > > > He can also delete his whole index with a single click on a http
> > > > > link referring to his Solr server. This is his problem. Never click
> > > > > on links from eMail.
> > > > > Solr is, as said already, not secured at all. If you want a "secure"
> > > > > Solr server, rewrite the whole thing. The same applies to other
> > > > > Lucene based products like ElasticSearch that have no "security"
> > included.
> > > > >
> > > > > -----
> > > > > Uwe Schindler
> > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > eMail: uwe@thetaphi.de
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > To: Uwe Schindler
> > > > > > Cc: general
> > > > > > Subject: Re: XSS Issue
> > > > > >
> > > > > > Hi Uwe,
> > > > > >
> > > > > > Thank you for your quick response.
> > > > > >
> > > > > > I'm a little bit surprised because XSS is not a problem of making
> > > > > > solr
> > > > > accessible
> > > > > > or not to Internet because this a reflected XSS. If an
> > administrator
> > > > > receives a
> > > > > > mail with a malicious link pointing to the solr administrator
> > > > > > interface
> > > > > and
> > > > > > containing a malicious payload he will execute the JavaScript if he
> > > > > clicks on it.
> > > > > >
> > > > > > There also others techniques that can be used to make an solr
> > > > > administrator
> > > > > > executing this link without his consent (HTML IMG TAG pointing to
> > > > > > the
> > > > > solr
> > > > > > administration interface and hosted on a malicious website) and
> > > > > > that
> > > > > will
> > > > > > bypass network based protection.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Grégory DRAPERI
> > > > > >
> > > > > >
> > > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > > >
> > > > > > > Hi Grégory,
> > > > > > >
> > > > > > > Solr should be always only listen on private networks, never make
> > > > > > > it accessible to the internet. This is officially documented; for
> > > > > > > more Information about this, see:
> > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > Solr uses HTTP as its programming API and you can do everything
> > > > > > > Java allows via HTTP, but HTTP does not mean it must be open to
> > > > > > > the internet. By opening a Solr server to the internet you are
> > > > > > > somehow wrapping everything Java allows to the internet, so it is
> > > > > > > not recommeneded. Solr also has no security features at all;
> > > > > > > managing this is all up to the front-end, sitting on internet or
> > insecure
> > > > networks.
> > > > > > >
> > > > > > > There are already some issues open to limit some XSS and similar
> > > > > access:
> > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > >
> > > > > > > Uwe
> > > > > > >
> > > > > > > -----
> > > > > > > Uwe Schindler
> > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > eMail: uwe@thetaphi.de
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > To: general@lucene.apache.org
> > > > > > > > Subject: XSS Issue
> > > > > > > >
> > > > > > > > Dear Solr project members,
> > > > > > > >
> > > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in the
> > 3.6.2
> > > > > > > version of
> > > > > > > > Solr.
> > > > > > > >
> > > > > > > > How can I give you more details?
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > --
> > > > > > > > Grégory Draperi
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Grégory Draperi
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Grégory Draperi
> >
> >
>
>
> --
> Grégory Draperi
Re: XSS Issue
Posted by gregory draperi <gr...@gmail.com>.
This is a Cross-Site Request Forgery issue (not a XSS) and should be fixed
by example by adding an impredictible parameter to the request.
I'm going to send to private@lucene.apache.org what I have found.
Best regards,
Grégory
2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> Just to show this without the admin interface: Add these two images to any
> web page like this:
>
> <img src="
> http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%3E%3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> />
> <img src="
> http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/%3E"
> />
>
> Anybody who visits this web page would nuke the index of his running solr
> server on the local machine - there is not even the admin web interface
> involved. Any REST API on earth has this problem, it is not specific to
> Solr!
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > Sent: Tuesday, June 18, 2013 6:01 PM
> > To: general@lucene.apache.org
> > Cc: 'gregory draperi'
> > Subject: RE: XSS Issue
> >
> > Hi,
> >
> > you can of course send your investigation to private@lucene.apache.org,
> we
> > greatly appreciate this.
> > An XSS problem in the Solr Admin interface can for sure be solved
> somehow,
> > but would not help to make Solr secure. Without the admin interface you
> can
> > still add some image into any web page that executes a "delete whole
> index
> > request" on the Solr server.
> >
> > If you want to prevent this, you can add HTTP basic authentication to
> your
> > web container, as described in the solr wiki.
> >
> > In general: If you have e.g. an EC2 coud of solr servers, add an extra
> security
> > group to your cloud and limit all access from outside. Then also no
> admin can
> > access this.
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > To: Uwe Schindler
> > > Cc: general
> > > Subject: Re: XSS Issue
> > >
> > > Yes he can do that but as I said the same problem can occur without
> > > his consent (and without a click) if he's on an arbitrary website
> > > which hosts a HTML IMG pointing to the vulnerable page of the solr
> > > administrator interface (like <IMG
> > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > >
> > > I'm thankful for your quick responses despite I don't understand this
> > > philosophy. I note the point.
> > >
> > > Regards,
> > >
> > > Grégory DRAPERI
> > >
> > >
> > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > >
> > > > He can also delete his whole index with a single click on a http
> > > > link referring to his Solr server. This is his problem. Never click
> > > > on links from eMail.
> > > > Solr is, as said already, not secured at all. If you want a "secure"
> > > > Solr server, rewrite the whole thing. The same applies to other
> > > > Lucene based products like ElasticSearch that have no "security"
> included.
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > To: Uwe Schindler
> > > > > Cc: general
> > > > > Subject: Re: XSS Issue
> > > > >
> > > > > Hi Uwe,
> > > > >
> > > > > Thank you for your quick response.
> > > > >
> > > > > I'm a little bit surprised because XSS is not a problem of making
> > > > > solr
> > > > accessible
> > > > > or not to Internet because this a reflected XSS. If an
> administrator
> > > > receives a
> > > > > mail with a malicious link pointing to the solr administrator
> > > > > interface
> > > > and
> > > > > containing a malicious payload he will execute the JavaScript if he
> > > > clicks on it.
> > > > >
> > > > > There also others techniques that can be used to make an solr
> > > > administrator
> > > > > executing this link without his consent (HTML IMG TAG pointing to
> > > > > the
> > > > solr
> > > > > administration interface and hosted on a malicious website) and
> > > > > that
> > > > will
> > > > > bypass network based protection.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Grégory DRAPERI
> > > > >
> > > > >
> > > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > > >
> > > > > > Hi Grégory,
> > > > > >
> > > > > > Solr should be always only listen on private networks, never make
> > > > > > it accessible to the internet. This is officially documented; for
> > > > > > more Information about this, see:
> > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > Solr uses HTTP as its programming API and you can do everything
> > > > > > Java allows via HTTP, but HTTP does not mean it must be open to
> > > > > > the internet. By opening a Solr server to the internet you are
> > > > > > somehow wrapping everything Java allows to the internet, so it is
> > > > > > not recommeneded. Solr also has no security features at all;
> > > > > > managing this is all up to the front-end, sitting on internet or
> insecure
> > > networks.
> > > > > >
> > > > > > There are already some issues open to limit some XSS and similar
> > > > access:
> > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > >
> > > > > > Uwe
> > > > > >
> > > > > > -----
> > > > > > Uwe Schindler
> > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > eMail: uwe@thetaphi.de
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > To: general@lucene.apache.org
> > > > > > > Subject: XSS Issue
> > > > > > >
> > > > > > > Dear Solr project members,
> > > > > > >
> > > > > > > I think I have found a XSS (Cross-Site Scripting) issue in the
> 3.6.2
> > > > > > version of
> > > > > > > Solr.
> > > > > > >
> > > > > > > How can I give you more details?
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > --
> > > > > > > Grégory Draperi
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Grégory Draperi
> > > >
> > > >
> > >
> > >
> > > --
> > > Grégory Draperi
>
>
--
Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
Just to show this without the admin interface: Add these two images to any web page like this:
<img src="http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%3E%3Cquery%3E*:*%3C/query%3E%3C/delete%3E" />
<img src="http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/%3E" />
Anybody who visits this web page would nuke the index of his running solr server on the local machine - there is not even the admin web interface involved. Any REST API on earth has this problem, it is not specific to Solr!
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> Sent: Tuesday, June 18, 2013 6:01 PM
> To: general@lucene.apache.org
> Cc: 'gregory draperi'
> Subject: RE: XSS Issue
>
> Hi,
>
> you can of course send your investigation to private@lucene.apache.org, we
> greatly appreciate this.
> An XSS problem in the Solr Admin interface can for sure be solved somehow,
> but would not help to make Solr secure. Without the admin interface you can
> still add some image into any web page that executes a "delete whole index
> request" on the Solr server.
>
> If you want to prevent this, you can add HTTP basic authentication to your
> web container, as described in the solr wiki.
>
> In general: If you have e.g. an EC2 coud of solr servers, add an extra security
> group to your cloud and limit all access from outside. Then also no admin can
> access this.
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 5:46 PM
> > To: Uwe Schindler
> > Cc: general
> > Subject: Re: XSS Issue
> >
> > Yes he can do that but as I said the same problem can occur without
> > his consent (and without a click) if he's on an arbitrary website
> > which hosts a HTML IMG pointing to the vulnerable page of the solr
> > administrator interface (like <IMG
> > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> >
> > I'm thankful for your quick responses despite I don't understand this
> > philosophy. I note the point.
> >
> > Regards,
> >
> > Grégory DRAPERI
> >
> >
> > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> >
> > > He can also delete his whole index with a single click on a http
> > > link referring to his Solr server. This is his problem. Never click
> > > on links from eMail.
> > > Solr is, as said already, not secured at all. If you want a "secure"
> > > Solr server, rewrite the whole thing. The same applies to other
> > > Lucene based products like ElasticSearch that have no "security" included.
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > To: Uwe Schindler
> > > > Cc: general
> > > > Subject: Re: XSS Issue
> > > >
> > > > Hi Uwe,
> > > >
> > > > Thank you for your quick response.
> > > >
> > > > I'm a little bit surprised because XSS is not a problem of making
> > > > solr
> > > accessible
> > > > or not to Internet because this a reflected XSS. If an administrator
> > > receives a
> > > > mail with a malicious link pointing to the solr administrator
> > > > interface
> > > and
> > > > containing a malicious payload he will execute the JavaScript if he
> > > clicks on it.
> > > >
> > > > There also others techniques that can be used to make an solr
> > > administrator
> > > > executing this link without his consent (HTML IMG TAG pointing to
> > > > the
> > > solr
> > > > administration interface and hosted on a malicious website) and
> > > > that
> > > will
> > > > bypass network based protection.
> > > >
> > > > Regards,
> > > >
> > > > Grégory DRAPERI
> > > >
> > > >
> > > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > > >
> > > > > Hi Grégory,
> > > > >
> > > > > Solr should be always only listen on private networks, never make
> > > > > it accessible to the internet. This is officially documented; for
> > > > > more Information about this, see:
> > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > Solr uses HTTP as its programming API and you can do everything
> > > > > Java allows via HTTP, but HTTP does not mean it must be open to
> > > > > the internet. By opening a Solr server to the internet you are
> > > > > somehow wrapping everything Java allows to the internet, so it is
> > > > > not recommeneded. Solr also has no security features at all;
> > > > > managing this is all up to the front-end, sitting on internet or insecure
> > networks.
> > > > >
> > > > > There are already some issues open to limit some XSS and similar
> > > access:
> > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > >
> > > > > Uwe
> > > > >
> > > > > -----
> > > > > Uwe Schindler
> > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > eMail: uwe@thetaphi.de
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > To: general@lucene.apache.org
> > > > > > Subject: XSS Issue
> > > > > >
> > > > > > Dear Solr project members,
> > > > > >
> > > > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> > > > > version of
> > > > > > Solr.
> > > > > >
> > > > > > How can I give you more details?
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > --
> > > > > > Grégory Draperi
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Grégory Draperi
> > >
> > >
> >
> >
> > --
> > Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi,
you can of course send your investigation to private@lucene.apache.org, we greatly appreciate this.
An XSS problem in the Solr Admin interface can for sure be solved somehow, but would not help to make Solr secure. Without the admin interface you can still add some image into any web page that executes a "delete whole index request" on the Solr server.
If you want to prevent this, you can add HTTP basic authentication to your web container, as described in the solr wiki.
In general: If you have e.g. an EC2 coud of solr servers, add an extra security group to your cloud and limit all access from outside. Then also no admin can access this.
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 5:46 PM
> To: Uwe Schindler
> Cc: general
> Subject: Re: XSS Issue
>
> Yes he can do that but as I said the same problem can occur without his
> consent (and without a click) if he's on an arbitrary website which hosts a
> HTML IMG pointing to the vulnerable page of the solr administrator interface
> (like <IMG src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
>
> I'm thankful for your quick responses despite I don't understand this
> philosophy. I note the point.
>
> Regards,
>
> Grégory DRAPERI
>
>
> 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
>
> > He can also delete his whole index with a single click on a http link
> > referring to his Solr server. This is his problem. Never click on
> > links from eMail.
> > Solr is, as said already, not secured at all. If you want a "secure"
> > Solr server, rewrite the whole thing. The same applies to other Lucene
> > based products like ElasticSearch that have no "security" included.
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > To: Uwe Schindler
> > > Cc: general
> > > Subject: Re: XSS Issue
> > >
> > > Hi Uwe,
> > >
> > > Thank you for your quick response.
> > >
> > > I'm a little bit surprised because XSS is not a problem of making
> > > solr
> > accessible
> > > or not to Internet because this a reflected XSS. If an administrator
> > receives a
> > > mail with a malicious link pointing to the solr administrator
> > > interface
> > and
> > > containing a malicious payload he will execute the JavaScript if he
> > clicks on it.
> > >
> > > There also others techniques that can be used to make an solr
> > administrator
> > > executing this link without his consent (HTML IMG TAG pointing to
> > > the
> > solr
> > > administration interface and hosted on a malicious website) and
> > > that
> > will
> > > bypass network based protection.
> > >
> > > Regards,
> > >
> > > Grégory DRAPERI
> > >
> > >
> > > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> > >
> > > > Hi Grégory,
> > > >
> > > > Solr should be always only listen on private networks, never make
> > > > it accessible to the internet. This is officially documented; for
> > > > more Information about this, see:
> > > > http://wiki.apache.org/solr/SolrSecurity
> > > > Solr uses HTTP as its programming API and you can do everything
> > > > Java allows via HTTP, but HTTP does not mean it must be open to
> > > > the internet. By opening a Solr server to the internet you are
> > > > somehow wrapping everything Java allows to the internet, so it is
> > > > not recommeneded. Solr also has no security features at all;
> > > > managing this is all up to the front-end, sitting on internet or insecure
> networks.
> > > >
> > > > There are already some issues open to limit some XSS and similar
> > access:
> > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > >
> > > > Uwe
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > To: general@lucene.apache.org
> > > > > Subject: XSS Issue
> > > > >
> > > > > Dear Solr project members,
> > > > >
> > > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> > > > version of
> > > > > Solr.
> > > > >
> > > > > How can I give you more details?
> > > > >
> > > > > Regards,
> > > > >
> > > > > --
> > > > > Grégory Draperi
> > > >
> > > >
> > >
> > >
> > > --
> > > Grégory Draperi
> >
> >
>
>
> --
> Grégory Draperi
Re: XSS Issue
Posted by gregory draperi <gr...@gmail.com>.
Yes he can do that but as I said the same problem can occur without his
consent (and without a click) if he's on an arbitrary website which hosts a
HTML IMG pointing to the vulnerable page of the solr administrator
interface (like <IMG src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
I'm thankful for your quick responses despite I don't understand this
philosophy. I note the point.
Regards,
Grégory DRAPERI
2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> He can also delete his whole index with a single click on a http link
> referring to his Solr server. This is his problem. Never click on links
> from eMail.
> Solr is, as said already, not secured at all. If you want a "secure" Solr
> server, rewrite the whole thing. The same applies to other Lucene based
> products like ElasticSearch that have no "security" included.
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 5:26 PM
> > To: Uwe Schindler
> > Cc: general
> > Subject: Re: XSS Issue
> >
> > Hi Uwe,
> >
> > Thank you for your quick response.
> >
> > I'm a little bit surprised because XSS is not a problem of making solr
> accessible
> > or not to Internet because this a reflected XSS. If an administrator
> receives a
> > mail with a malicious link pointing to the solr administrator interface
> and
> > containing a malicious payload he will execute the JavaScript if he
> clicks on it.
> >
> > There also others techniques that can be used to make an solr
> administrator
> > executing this link without his consent (HTML IMG TAG pointing to the
> solr
> > administration interface and hosted on a malicious website) and that
> will
> > bypass network based protection.
> >
> > Regards,
> >
> > Grégory DRAPERI
> >
> >
> > 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> >
> > > Hi Grégory,
> > >
> > > Solr should be always only listen on private networks, never make it
> > > accessible to the internet. This is officially documented; for more
> > > Information about this, see: http://wiki.apache.org/solr/SolrSecurity
> > > Solr uses HTTP as its programming API and you can do everything Java
> > > allows via HTTP, but HTTP does not mean it must be open to the
> > > internet. By opening a Solr server to the internet you are somehow
> > > wrapping everything Java allows to the internet, so it is not
> > > recommeneded. Solr also has no security features at all; managing this
> > > is all up to the front-end, sitting on internet or insecure networks.
> > >
> > > There are already some issues open to limit some XSS and similar
> access:
> > > https://issues.apache.org/jira/browse/SOLR-4882
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > > http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > To: general@lucene.apache.org
> > > > Subject: XSS Issue
> > > >
> > > > Dear Solr project members,
> > > >
> > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> > > version of
> > > > Solr.
> > > >
> > > > How can I give you more details?
> > > >
> > > > Regards,
> > > >
> > > > --
> > > > Grégory Draperi
> > >
> > >
> >
> >
> > --
> > Grégory Draperi
>
>
--
Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
He can also delete his whole index with a single click on a http link referring to his Solr server. This is his problem. Never click on links from eMail.
Solr is, as said already, not secured at all. If you want a "secure" Solr server, rewrite the whole thing. The same applies to other Lucene based products like ElasticSearch that have no "security" included.
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 5:26 PM
> To: Uwe Schindler
> Cc: general
> Subject: Re: XSS Issue
>
> Hi Uwe,
>
> Thank you for your quick response.
>
> I'm a little bit surprised because XSS is not a problem of making solr accessible
> or not to Internet because this a reflected XSS. If an administrator receives a
> mail with a malicious link pointing to the solr administrator interface and
> containing a malicious payload he will execute the JavaScript if he clicks on it.
>
> There also others techniques that can be used to make an solr administrator
> executing this link without his consent (HTML IMG TAG pointing to the solr
> administration interface and hosted on a malicious website) and that will
> bypass network based protection.
>
> Regards,
>
> Grégory DRAPERI
>
>
> 2013/6/18 Uwe Schindler <uw...@thetaphi.de>
>
> > Hi Grégory,
> >
> > Solr should be always only listen on private networks, never make it
> > accessible to the internet. This is officially documented; for more
> > Information about this, see: http://wiki.apache.org/solr/SolrSecurity
> > Solr uses HTTP as its programming API and you can do everything Java
> > allows via HTTP, but HTTP does not mean it must be open to the
> > internet. By opening a Solr server to the internet you are somehow
> > wrapping everything Java allows to the internet, so it is not
> > recommeneded. Solr also has no security features at all; managing this
> > is all up to the front-end, sitting on internet or insecure networks.
> >
> > There are already some issues open to limit some XSS and similar access:
> > https://issues.apache.org/jira/browse/SOLR-4882
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > To: general@lucene.apache.org
> > > Subject: XSS Issue
> > >
> > > Dear Solr project members,
> > >
> > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> > version of
> > > Solr.
> > >
> > > How can I give you more details?
> > >
> > > Regards,
> > >
> > > --
> > > Grégory Draperi
> >
> >
>
>
> --
> Grégory Draperi
Re: XSS Issue
Posted by gregory draperi <gr...@gmail.com>.
Hi Uwe,
Thank you for your quick response.
I'm a little bit surprised because XSS is not a problem of making solr
accessible or not to Internet because this a reflected XSS. If an
administrator receives a mail with a malicious link pointing to the solr
administrator interface and containing a malicious payload he will execute
the JavaScript if he clicks on it.
There also others techniques that can be used to make an solr administrator
executing this link without his consent (HTML IMG TAG pointing to the solr
administration interface and hosted on a malicious website) and that will
bypass network based protection.
Regards,
Grégory DRAPERI
2013/6/18 Uwe Schindler <uw...@thetaphi.de>
> Hi Grégory,
>
> Solr should be always only listen on private networks, never make it
> accessible to the internet. This is officially documented; for more
> Information about this, see: http://wiki.apache.org/solr/SolrSecurity
> Solr uses HTTP as its programming API and you can do everything Java
> allows via HTTP, but HTTP does not mean it must be open to the internet. By
> opening a Solr server to the internet you are somehow wrapping everything
> Java allows to the internet, so it is not recommeneded. Solr also has no
> security features at all; managing this is all up to the front-end, sitting
> on internet or insecure networks.
>
> There are already some issues open to limit some XSS and similar access:
> https://issues.apache.org/jira/browse/SOLR-4882
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 3:13 PM
> > To: general@lucene.apache.org
> > Subject: XSS Issue
> >
> > Dear Solr project members,
> >
> > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> version of
> > Solr.
> >
> > How can I give you more details?
> >
> > Regards,
> >
> > --
> > Grégory Draperi
>
>
--
Grégory Draperi
RE: XSS Issue
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi Grégory,
Solr should be always only listen on private networks, never make it accessible to the internet. This is officially documented; for more Information about this, see: http://wiki.apache.org/solr/SolrSecurity
Solr uses HTTP as its programming API and you can do everything Java allows via HTTP, but HTTP does not mean it must be open to the internet. By opening a Solr server to the internet you are somehow wrapping everything Java allows to the internet, so it is not recommeneded. Solr also has no security features at all; managing this is all up to the front-end, sitting on internet or insecure networks.
There are already some issues open to limit some XSS and similar access: https://issues.apache.org/jira/browse/SOLR-4882
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 3:13 PM
> To: general@lucene.apache.org
> Subject: XSS Issue
>
> Dear Solr project members,
>
> I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 version of
> Solr.
>
> How can I give you more details?
>
> Regards,
>
> --
> Grégory Draperi