Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-3419

XSS vulnerability in the json.wrf parameter

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not A Problem
    • Affects Version/s: 3.5
    • Fix Version/s: None
    • Component/s: Response Writers
    • Labels:
      None

      Description

      There's no filtering of the wrapper function name passed to the solr search service
      If the name of the wrapper function passed to the solr query service is the following string -
      %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E

      solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call

        Activity

        Hide
        jamesefrank James Frank added a comment -

        Just an agreement that this should be resolved and SOLR should be sanitize the json.wrf callback. We are facing an issue where this vulnerability was pulled up in a security scan and we will need to implement external sanitization through a proxy in order to resolve it. This is really something that should be happening internally.

        Show
        jamesefrank James Frank added a comment - Just an agreement that this should be resolved and SOLR should be sanitize the json.wrf callback. We are facing an issue where this vulnerability was pulled up in a security scan and we will need to implement external sanitization through a proxy in order to resolve it. This is really something that should be happening internally.
        Hide
        aberonxp Stanislav Stolpovskiy added a comment -

        I tried to reproduce this on Solr 3.4 and html characters were automatically escaped in my case.
        Does it mean that this vulnerability is present only in 3.5 version?

        Show
        aberonxp Stanislav Stolpovskiy added a comment - I tried to reproduce this on Solr 3.4 and html characters were automatically escaped in my case. Does it mean that this vulnerability is present only in 3.5 version?
        Hide
        ryantxu Ryan McKinley added a comment -

        seems like this can not hurt

        Show
        ryantxu Ryan McKinley added a comment - seems like this can not hurt
        Hide
        elyograg Shawn Heisey added a comment -

        My boss asked me about cross-site vulnerabilities in Solr today. I remembered reading something about some vulnerabilities, so I went looking and found this.

        This issue is particularly old and the code in 5.x is likely very different. Is this still a problem?

        Show
        elyograg Shawn Heisey added a comment - My boss asked me about cross-site vulnerabilities in Solr today. I remembered reading something about some vulnerabilities, so I went looking and found this. This issue is particularly old and the code in 5.x is likely very different. Is this still a problem?
        Hide
        allufarp Prafulla Kiran added a comment -

        It most likely isn't. I'm not in a position to verify this. Can someone
        from SOLR close this ?

        Show
        allufarp Prafulla Kiran added a comment - It most likely isn't. I'm not in a position to verify this. Can someone from SOLR close this ?
        Hide
        upayavira Upayavira added a comment -

        After some digging, I realised that this was referring to the 3.x admin UI, which has long since been replaced. Closing this ticket.

        Show
        upayavira Upayavira added a comment - After some digging, I realised that this was referring to the 3.x admin UI, which has long since been replaced. Closing this ticket.
        Hide
        upayavira Upayavira added a comment -

        No longer a problem since the arrival of the 4.x admin UI

        Show
        upayavira Upayavira added a comment - No longer a problem since the arrival of the 4.x admin UI
        Hide
        urbanows Shayne Urbanowski added a comment -

        I'm not sure that this is only related to the admin UI.

        My security scanning tool is detecting a vulnerability related to embedding a script tag in the json.wrf, callback, group, facet or _ parameters in Solr API requests.

        Show
        urbanows Shayne Urbanowski added a comment - I'm not sure that this is only related to the admin UI. My security scanning tool is detecting a vulnerability related to embedding a script tag in the json.wrf, callback, group, facet or _ parameters in Solr API requests.

          People

          • Assignee:
            Unassigned
            Reporter:
            allufarp Prafulla Kiran
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development