Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-7346

Stored XSS in Admin UI Schema-Browser page and Analysis page

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.10.2, 5.0
    • Fix Version/s: 5.1, 6.0
    • Component/s: Admin UI
    • Labels:
    • Environment:

      linux x86_64
      jdk 1.7.0.75
      apache tomcat-7.0.57
      solr 5.0.0

      Description

      Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser page and Analysis page, which was caused by improper validation of user-supplied input, for example, create fields by Schema API. When the Schema-Browser page or Analysis page url is clicked, an XSS will be triggered. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
      patch for solr5.0.0

      solr/webapp/web/js/scripts/schema-browser.js
          --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
      +++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
      @@ -596,7 +596,7 @@
                           {
                             fields.push
                             (
      -                        '<option value="?field=' + field_name + '">' + field_name + '</option>'
      +                        '<option value="?field=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                             );
                           }
                           if( 0 !== fields.length )
      
      solr/webapp/web/js/scripts/analysis.js
      --- analysis.js 2015-04-03 14:22:34.000000000 +0800
      +++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
      @@ -80,7 +80,7 @@
                     {
                       fields.push
                       (
      -                  '<option value="fieldname=' + field_name + '">' + field_name + '</option>'
      +                  '<option value="fieldname=' + field_name.esc() + '">' + field_name.esc() + '</option>'
                       );
                     }
                     if( 0 !== fields.length )
      

        Attachments

          Activity

            People

            • Assignee:
              thelabdude Timothy Potter
              Reporter:
              meilin Mei Wang
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 96h
                96h
                Remaining:
                Remaining Estimate - 96h
                96h
                Logged:
                Time Spent - Not Specified
                Not Specified