Solr
  1. Solr
  2. SOLR-1031

XSS vulnerability in schema.jsp (patch included)

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.2, 1.3
    • Fix Version/s: 1.4
    • Component/s: web gui
    • Labels:
      None

      Description

      If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.

      The javascript will appear in the "Top Terms" part of the UI.

      I have created a simple patch to prevent this problem from occurring.

      1. SchemaXSS.patch
        0.9 kB
        Paul Lovvik
      2. SOLR-1031.patch
        0.9 kB
        Peter Wolanin

        Activity

        Paul Lovvik created issue -
        Hide
        Paul Lovvik added a comment -

        Here is the patch.

        Show
        Paul Lovvik added a comment - Here is the patch.
        Paul Lovvik made changes -
        Field Original Value New Value
        Attachment SchemaXSS.patch [ 12400638 ]
        Paul Lovvik made changes -
        Description If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.

        The javascript will appear in the "Top Terms" part of the UI.

        I have created a simple patch to prevent this problem from occurring.


        Hmmm... I apparently can't attach the patch, so here is the patch text:

        Index: src/webapp/web/admin/schema.jsp
        ===================================================================
        --- src/webapp/web/admin/schema.jsp (revision 746406)
        +++ src/webapp/web/admin/schema.jsp (working copy)
        @@ -490,14 +490,10 @@
                 
                 var numTerms = 0;
                 $.each(topTerms, function(term, count) {
        - var row = document.createElement('tr');
        - var c1 = document.createElement('td');
        - c1.innerHTML=term;
        - var c2 = document.createElement('td');
        - c2.innerHTML=count;
        - row.appendChild(c1);
        - row.appendChild(c2);
        - tbody.appendChild(row);
        + var c1 = $('<td>').text(term);
        + var c2 = $('<td>').text(count);
        + var row = $('<tr>').append(c1).append(c2);
        + tbody.appendChild(row.get(0));
                   numTerms++;
                 });
                 tbl.appendChild(tbody);
        If javascript is embedded in any of the fields, it is possible for that javascript to be executed when viewing the schema.

        The javascript will appear in the "Top Terms" part of the UI.

        I have created a simple patch to prevent this problem from occurring.
        Hide
        Peter Wolanin added a comment - - edited

        To add a little more background - I ran into this bug while doing work on our Drupal integration module. It's easy to demonstrate, and basically happens if a script is indexed in an unprocessed or untokenized field (e.g. a string field) and shows up as one of the top terms on the schema browser page (schema.jsp) when one goes to examine a particular field.

        The risk of allowing such script to execute could include modification or deletion of the index, as well as other XSS attacks, and the danger of a small JS payload is potentially enhanced by the fact that is could probably use jQuery functions like jQuery.post().

        For the Drupal module we are mitigating this risk by using the PHP strip_tags() function prior to indexing content, but it seems liek this is something Solr should handle more generally.

        I first observed the bug in Solr 1.3, and it's still present in trunk (1.4)

        Re-posting Paul's patch with the preferred naming.

        Show
        Peter Wolanin added a comment - - edited To add a little more background - I ran into this bug while doing work on our Drupal integration module. It's easy to demonstrate, and basically happens if a script is indexed in an unprocessed or untokenized field (e.g. a string field) and shows up as one of the top terms on the schema browser page (schema.jsp) when one goes to examine a particular field. The risk of allowing such script to execute could include modification or deletion of the index, as well as other XSS attacks, and the danger of a small JS payload is potentially enhanced by the fact that is could probably use jQuery functions like jQuery.post(). For the Drupal module we are mitigating this risk by using the PHP strip_tags() function prior to indexing content, but it seems liek this is something Solr should handle more generally. I first observed the bug in Solr 1.3, and it's still present in trunk (1.4) Re-posting Paul's patch with the preferred naming.
        Peter Wolanin made changes -
        Attachment SOLR-1031.patch [ 12400647 ]
        Hide
        Peter Wolanin added a comment -

        Drupal ships with a little JS function for sanitizing output (works like the PHP function htmlspecialchars($text, ENT_QUOTES) ). Possibly you could add something similar if the text() function doesn't give the desired output:

        /**
         * Encode special characters in a plain-text string for display as HTML.
         */
        Drupal.checkPlain = function(str) {
          str = String(str);
          var replace = { '&': '&amp;', '"': '&quot;', '<': '&lt;', '>': '&gt;' };
          for (var character in replace) {
            var regex = new RegExp(character, 'g');
            str = str.replace(regex, replace[character]);
          }
          return str;
        };
        

        http://php.net/htmlspecialchars

        http://cvs.drupal.org/viewvc.py/drupal/drupal/misc/drupal.js?revision=1.50&view=markup

        Show
        Peter Wolanin added a comment - Drupal ships with a little JS function for sanitizing output (works like the PHP function htmlspecialchars($text, ENT_QUOTES) ). Possibly you could add something similar if the text() function doesn't give the desired output: /** * Encode special characters in a plain-text string for display as HTML. */ Drupal.checkPlain = function (str) { str = String (str); var replace = { '&': '&amp;', '"': '&quot;', '<': '&lt;', '>': '&gt;' }; for ( var character in replace) { var regex = new RegExp(character, 'g'); str = str.replace(regex, replace[character]); } return str; }; http://php.net/htmlspecialchars http://cvs.drupal.org/viewvc.py/drupal/drupal/misc/drupal.js?revision=1.50&view=markup
        Hide
        Erik Hatcher added a comment -

        patch applied, tested, and committed. thanks, Paul and Peter!

        Show
        Erik Hatcher added a comment - patch applied, tested, and committed. thanks, Paul and Peter!
        Erik Hatcher made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Erik Hatcher made changes -
        Fix Version/s 1.4 [ 12313351 ]
        Hide
        Grant Ingersoll added a comment -

        Bulk close for Solr 1.4

        Show
        Grant Ingersoll added a comment - Bulk close for Solr 1.4
        Grant Ingersoll made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Paul Lovvik
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development