lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Resolved] (SOLR-10031) ReplicationHandler path traversal vulnerability
Date Wed, 15 Feb 2017 22:55:42 GMT

     [ https://issues.apache.org/jira/browse/SOLR-10031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Høydahl resolved SOLR-10031.
--------------------------------
    Resolution: Fixed

> ReplicationHandler path traversal vulnerability
> -----------------------------------------------
>
>                 Key: SOLR-10031
>                 URL: https://issues.apache.org/jira/browse/SOLR-10031
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: replication (java)
>    Affects Versions: 6.4
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Blocker
>             Fix For: master (7.0), 6.4.1, 5.5.4
>
>         Attachments: path_traversal_fix.patch, SOLR-10031_branch5_5.patch, SOLR-10031.patch,
SOLR-10031.patch, SOLR-10031.patch, SOLR-10031.patch
>
>
> Fra: Mark Thomas <markt@apache.org>
> Emne: Fwd: Apache Solr - security vulnerability (path traversal attack)
> Dato: 24. januar 2017 kl. 13.14.36 CET
> Til: private@lucene.apache.org
> Kopi: "security@apache.org" <security@apache.org>
> Svar til: private@lucene.apache.org
> Dear Apache Lucene PMC,
> The security vulnerability report has been received by the Apache
> Security Team and is being passed to you for action.
> Please take careful note of the following:
> - This information is private and should be treated accordingly. The
> issue must not be discussed on a public mailing list, it must not be
> added to a public bug tracker, etc.
> - The Lucene PMC is responsible for resolving this issue. The security
> team is here to provide help and advice but the responsibility to do the
> work lies with the Lucene PMC.
> You may find the "ASF Project Security for Committers" [1] a useful
> reference. This e-mail represents step three of that process. Step 4
> should be completed asap.
> Kind regards,
> Mark
> [1] http://www.apache.org/security/committers.html
> -------- Forwarded Message --------
> Subject: 	Apache Solr - security vulnerability (path traversal attack)
> Date: 	Mon, 23 Jan 2017 11:27:19 -0800
> From: 	Hrishikesh Gadre <gadre.solr@gmail.com>
> To: 	security@apache.org
> CC: 	Hrishikesh Gadre <gadre.solr@gmail.com>
> Hi,
> We found a path manipulation security vulnerability in Apache Solr after
> running HPE Fortify static code analyzer on the Solr codebase.
> Here is a brief description of this issue,
> - Apache Solr provides a "replication" handler which supports operations
> related to querying the state of an index as well as copying files
> associated with the index.
> https://cwiki.apache.org/confluence/display/solr/Index+Replication
> <https://cwiki.apache.org/confluence/display/solr/Index+Replication>
> This handler supports an HTTP API
> (/replication?command=filecontent&file=<file_name>) which is vulnerable
> to path traversal attack. Specifically, this API does not perform any
> validation of the user specified file_name parameter. This can allow an
> attacker to download *any* file readable to Solr server process even if
> it is not related to the actual Solr index state.
> https://www.owasp.org/index.php/Path_Traversal
> I have verified this with the Solr version 6.3. But I believe this
> vulnerability to be present for much longer (going back to v 4.10.x) . I
> am currently working on the fix. Please let me know the process to
> submit a patch for this.
> Thanks
> Hrishikesh



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message