lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Rochkind <>
Subject Re: XML injection interface in select servlet?
Date Tue, 20 Sep 2011 15:28:21 GMT
On Sep 20, 2011, at 04:33 , Jan Peter Stotz wrote:
>> I am now asking myself why would someone implement such a bloodcurdling
>> vulnerability into a web service? Until now I haven't found an exploit
>> using the parameters in a way an attacker would get an advantage. But the
>> way those parameters are implemented raise some doubts on my side if
>> security has been seriously taken into account while implementing Solr...

Solr committers can correct me if I'm wrong, but my impression is that 
the Solr API itself is generally _not_ intended to be exposed to the 
world. It's expected to be protected behind a firewall, accessed by 
trusted applications.

People periodically post to this list planning on exposing it to the 
world anyway; but my impression is there may be all kinds of security 
problems there, as well as DoS possibilities, etc.

So I think it may be safe to say that security has not been seriously 
taken into account -- if you mean security on a Solr instance which has 
it's entire API exposed publically to the world.  I don't think that's 
the intended use case.

View raw message