Solr
  1. Solr
  2. SOLR-3419

XSS vulnerability in the json.wrf parameter

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Not A Problem
    • Affects Version/s: 3.5
    • Fix Version/s: None
    • Component/s: Response Writers
    • Labels:
      None

      Description

      There's no filtering of the wrapper function name passed to the solr search service
      If the name of the wrapper function passed to the solr query service is the following string -
      %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E

      solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call

        Activity

        Hide
        James Frank added a comment -

        Just an agreement that this should be resolved and SOLR should be sanitize the json.wrf callback. We are facing an issue where this vulnerability was pulled up in a security scan and we will need to implement external sanitization through a proxy in order to resolve it. This is really something that should be happening internally.

        Show
        James Frank added a comment - Just an agreement that this should be resolved and SOLR should be sanitize the json.wrf callback. We are facing an issue where this vulnerability was pulled up in a security scan and we will need to implement external sanitization through a proxy in order to resolve it. This is really something that should be happening internally.
        Hide
        Stanislav Stolpovskiy added a comment -

        I tried to reproduce this on Solr 3.4 and html characters were automatically escaped in my case.
        Does it mean that this vulnerability is present only in 3.5 version?

        Show
        Stanislav Stolpovskiy added a comment - I tried to reproduce this on Solr 3.4 and html characters were automatically escaped in my case. Does it mean that this vulnerability is present only in 3.5 version?
        Hide
        Ryan McKinley added a comment -

        seems like this can not hurt

        Show
        Ryan McKinley added a comment - seems like this can not hurt
        Hide
        Shawn Heisey added a comment -

        My boss asked me about cross-site vulnerabilities in Solr today. I remembered reading something about some vulnerabilities, so I went looking and found this.

        This issue is particularly old and the code in 5.x is likely very different. Is this still a problem?

        Show
        Shawn Heisey added a comment - My boss asked me about cross-site vulnerabilities in Solr today. I remembered reading something about some vulnerabilities, so I went looking and found this. This issue is particularly old and the code in 5.x is likely very different. Is this still a problem?
        Hide
        Prafulla Kiran added a comment -

        It most likely isn't. I'm not in a position to verify this. Can someone
        from SOLR close this ?

        Show
        Prafulla Kiran added a comment - It most likely isn't. I'm not in a position to verify this. Can someone from SOLR close this ?
        Hide
        Upayavira added a comment -

        After some digging, I realised that this was referring to the 3.x admin UI, which has long since been replaced. Closing this ticket.

        Show
        Upayavira added a comment - After some digging, I realised that this was referring to the 3.x admin UI, which has long since been replaced. Closing this ticket.
        Hide
        Upayavira added a comment -

        No longer a problem since the arrival of the 4.x admin UI

        Show
        Upayavira added a comment - No longer a problem since the arrival of the 4.x admin UI
        Hide
        Shayne Urbanowski added a comment -

        I'm not sure that this is only related to the admin UI.

        My security scanning tool is detecting a vulnerability related to embedding a script tag in the json.wrf, callback, group, facet or _ parameters in Solr API requests.

        Show
        Shayne Urbanowski added a comment - I'm not sure that this is only related to the admin UI. My security scanning tool is detecting a vulnerability related to embedding a script tag in the json.wrf, callback, group, facet or _ parameters in Solr API requests.

          People

          • Assignee:
            Unassigned
            Reporter:
            Prafulla Kiran
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development