Solr
  1. Solr
  2. SOLR-7346

Stored XSS in Admin UI Schema-Browser page and Analysis page

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.10.2, 5.0
    • Fix Version/s: 5.1, 6.0
    • Component/s: UI
    • Labels:
    • Environment:

      linux x86_64
      jdk 1.7.0.75
      apache tomcat-7.0.57
      solr 5.0.0

      Description

      Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser page and Analysis page, which was caused by improper validation of user-supplied input, for example, create fields by Schema API. When the Schema-Browser page or Analysis page url is clicked, an XSS will be triggered. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
      patch for solr5.0.0

      solr/webapp/web/js/scripts/schema-browser.js
          --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
      +++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
      @@ -596,7 +596,7 @@
                           {
                             fields.push
                             (
      -                        '<option value="?field=' + field_name + '">' + field_name + '</option>'
      +                        '<option value="?field=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                             );
                           }
                           if( 0 !== fields.length )
      
      solr/webapp/web/js/scripts/analysis.js
      --- analysis.js 2015-04-03 14:22:34.000000000 +0800
      +++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
      @@ -80,7 +80,7 @@
                     {
                       fields.push
                       (
      -                  '<option value="fieldname=' + field_name + '">' + field_name + '</option>'
      +                  '<option value="fieldname=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                       );
                     }
                     if( 0 !== fields.length )
      

        Activity

        Hide
        ASF subversion and git services added a comment -

        Commit 1671580 from Timothy Potter in branch 'dev/trunk'
        [ https://svn.apache.org/r1671580 ]

        SOLR-7346: Stored XSS in Admin UI Schema-Browser page and Analysis page

        Show
        ASF subversion and git services added a comment - Commit 1671580 from Timothy Potter in branch 'dev/trunk' [ https://svn.apache.org/r1671580 ] SOLR-7346 : Stored XSS in Admin UI Schema-Browser page and Analysis page
        Hide
        ASF subversion and git services added a comment -

        Commit 1671581 from Timothy Potter in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1671581 ]

        SOLR-7346: Stored XSS in Admin UI Schema-Browser page and Analysis page

        Show
        ASF subversion and git services added a comment - Commit 1671581 from Timothy Potter in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1671581 ] SOLR-7346 : Stored XSS in Admin UI Schema-Browser page and Analysis page
        Hide
        ASF subversion and git services added a comment -

        Commit 1671582 from Timothy Potter in branch 'dev/branches/lucene_solr_5_1'
        [ https://svn.apache.org/r1671582 ]

        SOLR-7346: Stored XSS in Admin UI Schema-Browser page and Analysis page

        Show
        ASF subversion and git services added a comment - Commit 1671582 from Timothy Potter in branch 'dev/branches/lucene_solr_5_1' [ https://svn.apache.org/r1671582 ] SOLR-7346 : Stored XSS in Admin UI Schema-Browser page and Analysis page
        Hide
        Timothy Potter added a comment -

        Thanks for your contribution Mei.

        Show
        Timothy Potter added a comment - Thanks for your contribution Mei.
        Hide
        Timothy Potter added a comment -

        Bulk close after 5.1 release

        Show
        Timothy Potter added a comment - Bulk close after 5.1 release

          People

          • Assignee:
            Timothy Potter
            Reporter:
            Mei Wang
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 96h
              96h
              Remaining:
              Remaining Estimate - 96h
              96h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development