Solr
  1. Solr
  2. SOLR-3419

XSS vulnerability in the json.wrf parameter

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.5
    • Fix Version/s: None
    • Component/s: Response Writers
    • Labels:
      None

      Description

      There's no filtering of the wrapper function name passed to the solr search service
      If the name of the wrapper function passed to the solr query service is the following string -
      %3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E

      solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which perform mime-sniffing. In any case, the callback function in a jsonp response should always be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Prafulla Kiran
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:

              Development