lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gus Heck <gus.h...@gmail.com>
Subject Re: Web Server HTTP Header Internal IP Disclosure SOLR port
Date Wed, 09 Jan 2019 15:38:22 GMT
This sounds like something that might crop up if the admin UI were exposed
to an alternate (or public) network space through a tunnel or proxy. The
server knows nothing about the proxy/tunnel, and the cloud page has nice
clickable machine names that point at the internal dns or ip names of the
nodes. This does not however give access to said nodes or the network
space. One might I suppose worry that it reveals which internal IP space is
in use, but if someone you don't trust with that information can already
see the admin UI you have much bigger problems.

On Mon, Jan 7, 2019 at 3:15 AM Jan Høydahl <jan.asf@cominvent.com> wrote:

> Are you saying that the redirect from http://my.ip:8983/ to
> http://my.ip.8983/solr/ is a security issue for you? Please tell us how
> this could be by providing a real example where you believe that Solr
> exposes some secret information that the requesting client should not gain
> access to?? Remember that Solr is not any random Web server and must be
> firewalled and not exposed to the internet. Your security scan tool may
> have other assumptions?
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 7. jan. 2019 kl. 05:55 skrev Muniraj M <muniraj.m@ewallsolutions.com>:
> >
> > Hi,
> >
> > I am using Apache SOLR 6.6.5 as my search engine and when we do security
> > scan on our server, we got the below response
> >
> > *When processing the following request : GET / HTTP/1.0 this web server
> > leaks the following private IP address : X.X.X.X as found in the
> following
> > collection of HTTP headers : HTTP/1.1 302 Found
> > Location: http://X.X.X.X:8983/solr/
> > <http://x.x.x.x:8983/solr/> Content-Length: 0*
> >
> > I have checked for more time however haven't find any solutions to fix
> this
> > problem. Any idea of how to solve this would be really appreciated.
> >
> > --
> > Regards,
> > *Muniraj M*
>
>

-- 
http://www.the111shift.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message