lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <>
Subject RE: XSS Issue
Date Tue, 18 Jun 2013 15:05:33 GMT
Hi Grégory,

Solr should be always only listen on private networks, never make it accessible to the internet.
This is officially documented; for more Information about this, see:
Solr uses HTTP as its programming API and you can do everything Java allows via HTTP, but
HTTP does not mean it must be open to the internet. By opening a Solr server to the internet
you are somehow wrapping everything Java allows to the internet, so it is not recommeneded.
Solr also has no security features at all; managing this is all up to the front-end, sitting
on internet or insecure networks.

There are already some issues open to limit some XSS and similar access:


Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen

> -----Original Message-----
> From: gregory draperi []
> Sent: Tuesday, June 18, 2013 3:13 PM
> To:
> Subject: XSS Issue
> Dear Solr project members,
> I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 version of
> Solr.
> How can I give you more details?
> Regards,
> --
> Grégory Draperi

View raw message