Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-10031

ReplicationHandler path traversal vulnerability

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 6.4
    • Fix Version/s: 5.5.4, 6.4.1, 7.0
    • Component/s: replication (java)
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      Fra: Mark Thomas <markt@apache.org>
      Emne: Fwd: Apache Solr - security vulnerability (path traversal attack)
      Dato: 24. januar 2017 kl. 13.14.36 CET
      Til: private@lucene.apache.org
      Kopi: "security@apache.org" <security@apache.org>
      Svar til: private@lucene.apache.org

      Dear Apache Lucene PMC,

      The security vulnerability report has been received by the Apache
      Security Team and is being passed to you for action.

      Please take careful note of the following:

      • This information is private and should be treated accordingly. The
        issue must not be discussed on a public mailing list, it must not be
        added to a public bug tracker, etc.
      • The Lucene PMC is responsible for resolving this issue. The security
        team is here to provide help and advice but the responsibility to do the
        work lies with the Lucene PMC.

      You may find the "ASF Project Security for Committers" [1] a useful
      reference. This e-mail represents step three of that process. Step 4
      should be completed asap.

      Kind regards,

      Mark

      [1] http://www.apache.org/security/committers.html

      -------- Forwarded Message --------
      Subject: Apache Solr - security vulnerability (path traversal attack)
      Date: Mon, 23 Jan 2017 11:27:19 -0800
      From: Hrishikesh Gadre <gadre.solr@gmail.com>
      To: security@apache.org
      CC: Hrishikesh Gadre <gadre.solr@gmail.com>

      Hi,

      We found a path manipulation security vulnerability in Apache Solr after
      running HPE Fortify static code analyzer on the Solr codebase.

      Here is a brief description of this issue,

      • Apache Solr provides a "replication" handler which supports operations
        related to querying the state of an index as well as copying files
        associated with the index.

      https://cwiki.apache.org/confluence/display/solr/Index+Replication
      <https://cwiki.apache.org/confluence/display/solr/Index+Replication>

      This handler supports an HTTP API
      (/replication?command=filecontent&file=<file_name>) which is vulnerable
      to path traversal attack. Specifically, this API does not perform any
      validation of the user specified file_name parameter. This can allow an
      attacker to download any file readable to Solr server process even if
      it is not related to the actual Solr index state.
      https://www.owasp.org/index.php/Path_Traversal

      I have verified this with the Solr version 6.3. But I believe this
      vulnerability to be present for much longer (going back to v 4.10.x) . I
      am currently working on the fix. Please let me know the process to
      submit a patch for this.

      Thanks
      Hrishikesh

        Attachments

        1. SOLR-10031.patch
          4 kB
          Jan Høydahl
        2. SOLR-10031.patch
          4 kB
          Jan Høydahl
        3. SOLR-10031.patch
          4 kB
          Jan Høydahl
        4. SOLR-10031.patch
          4 kB
          Jan Høydahl
        5. SOLR-10031_branch5_5.patch
          5 kB
          Jan Høydahl
        6. path_traversal_fix.patch
          5 kB
          Jan Høydahl

          Activity

            People

            • Assignee:
              janhoy Jan Høydahl
              Reporter:
              janhoy Jan Høydahl
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: