Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-3419

XSS vulnerability in the json.wrf parameter

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not A Problem
    • Affects Version/s: 3.5
    • Fix Version/s: None
    • Component/s: Response Writers
    • Labels:
      None

      Description

      There's no filtering of the wrapper function name passed to the solr search service
      If the name of the wrapper function passed to the solr query service is the following string -
      %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E

      solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call

        Attachments

        1. Screen Shot 2017-10-17 at 3.14.43 PM.png
          57 kB
          Chris Brockmeier
        2. SOLR-3419-escape.patch
          1 kB
          Ryan McKinley

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              allufarp Prafulla Kiran
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: