Solr
  1. Solr
  2. SOLR-74

Cross-site scripting vulnerabilities

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.1.0
    • Component/s: web gui
    • Labels:
      None

      Description

      There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.

      For example, in analysis.jsp: <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>

      These need to be modified to HTML escape the values rather than directly outputting the exact values.

      The other affected JSP pages: action.jsp and get-file.jsp

        Activity

        Hide
        Brian Chess added a comment -

        Two problems in action.jsp:
        100 <td>
        101 <%= action %><br>
        102 </td>

        108 <td>
        109 <%= enableActionStatus %><br>
        110 </td>

        One in get-file.jsp:
        59 out.println("Permission denied for file "+ fname);

        Three in analysis.jsp:
        64 <td>
        65 <input class="std" name="name" type="text" value="<%= name %>">
        66 </td>

        80 <td>
        81 <textarea class="std" rows="3" cols="70" name="val"><%= val %></textarea>
        82 </td>

        92 <td>
        93 <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
        94 </td>
        95 </tr>

        Show
        Brian Chess added a comment - Two problems in action.jsp: 100 <td> 101 <%= action %><br> 102 </td> 108 <td> 109 <%= enableActionStatus %><br> 110 </td> One in get-file.jsp: 59 out.println("Permission denied for file "+ fname); Three in analysis.jsp: 64 <td> 65 <input class="std" name="name" type="text" value="<%= name %>"> 66 </td> 80 <td> 81 <textarea class="std" rows="3" cols="70" name="val"><%= val %></textarea> 82 </td> 92 <td> 93 <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea> 94 </td> 95 </tr>
        Hide
        Otis Gospodnetic added a comment -

        analysis.jsp is getting changed in SOLR-58, so the last 3 CSS issues will be taken care of there.

        Show
        Otis Gospodnetic added a comment - analysis.jsp is getting changed in SOLR-58 , so the last 3 CSS issues will be taken care of there.
        Hide
        Hoss Man added a comment -

        I made the neccessary changes to action.jsp, and analysis.jsp as well (since the analysys.jsp changes in SOLR-58 were rolled back recently)

        i didn't modify get-file.jsp – it's mime type is explicitly text/plain, so there's nothing to escape.

        Show
        Hoss Man added a comment - I made the neccessary changes to action.jsp, and analysis.jsp as well (since the analysys.jsp changes in SOLR-58 were rolled back recently) i didn't modify get-file.jsp – it's mime type is explicitly text/plain, so there's nothing to escape.
        Hide
        Hoss Man added a comment -

        This bug was modified as part of a bulk update using the criteria...

        • Marked ("Resolved" or "Closed") and "Fixed"
        • Had no "Fix Version" versions
        • Was listed in the CHANGES.txt for 1.1

        The Fix Version for all 38 issues found was set to 1.1, email notification
        was suppressed to prevent excessive email.

        For a list of all the issues modified, search jira comments for this
        (hopefully) unique string: 20080415hossman3

        Show
        Hoss Man added a comment - This bug was modified as part of a bulk update using the criteria... Marked ("Resolved" or "Closed") and "Fixed" Had no "Fix Version" versions Was listed in the CHANGES.txt for 1.1 The Fix Version for all 38 issues found was set to 1.1, email notification was suppressed to prevent excessive email. For a list of all the issues modified, search jira comments for this (hopefully) unique string: 20080415hossman3

          People

          • Assignee:
            Hoss Man
            Reporter:
            Erik Hatcher
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development