lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: XSS Issue
Date Tue, 18 Jun 2013 16:00:51 GMT
Hi,

you can of course send your investigation to private@lucene.apache.org, we greatly appreciate
this.
An XSS problem in the Solr Admin interface can for sure be solved somehow, but would not help
to make Solr secure. Without the admin interface you can still add some image into any web
page that executes a "delete whole index request" on the Solr server.

If you want to prevent this, you can add HTTP basic authentication to your web container,
as described in the solr wiki.

In general: If you have e.g. an EC2 coud of solr servers, add an extra security group to your
cloud and limit all access from outside. Then also no admin can access this.

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 5:46 PM
> To: Uwe Schindler
> Cc: general
> Subject: Re: XSS Issue
> 
> Yes he can do that but as I said the same problem can occur without his
> consent (and without a click) if he's on an arbitrary website which hosts a
> HTML IMG pointing to the vulnerable page of the solr administrator interface
> (like <IMG src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> 
> I'm thankful for your quick responses despite I don't understand this
> philosophy. I note the point.
> 
> Regards,
> 
> Grégory DRAPERI
> 
> 
> 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> 
> > He can also delete his whole index with a single click on a http link
> > referring to his Solr server. This is his problem. Never click on
> > links from eMail.
> > Solr is, as said already, not secured at all. If you want a "secure"
> > Solr server, rewrite the whole thing. The same applies to other Lucene
> > based products like ElasticSearch that have no "security" included.
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > To: Uwe Schindler
> > > Cc: general
> > > Subject: Re: XSS Issue
> > >
> > > Hi Uwe,
> > >
> > > Thank you for your quick response.
> > >
> > > I'm a little bit surprised because XSS is not a problem of making
> > > solr
> > accessible
> > > or not to Internet because this a reflected XSS. If an administrator
> > receives a
> > > mail with a malicious link pointing to the solr administrator
> > > interface
> > and
> > > containing a malicious payload he will execute the JavaScript if he
> > clicks on it.
> > >
> > > There also others techniques that can be used to make an solr
> > administrator
> > > executing this link without his consent (HTML IMG TAG pointing to
> > > the
> > solr
> > > administration interface and hosted on a malicious website)  and
> > > that
> > will
> > > bypass network based protection.
> > >
> > > Regards,
> > >
> > > Grégory DRAPERI
> > >
> > >
> > > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> > >
> > > > Hi Grégory,
> > > >
> > > > Solr should be always only listen on private networks, never make
> > > > it accessible to the internet. This is officially documented; for
> > > > more Information about this, see:
> > > > http://wiki.apache.org/solr/SolrSecurity
> > > > Solr uses HTTP as its programming API and you can do everything
> > > > Java allows via HTTP, but HTTP does not mean it must be open to
> > > > the internet. By opening a Solr server to the internet you are
> > > > somehow wrapping everything Java allows to the internet, so it is
> > > > not recommeneded. Solr also has no security features at all;
> > > > managing this is all up to the front-end, sitting on internet or insecure
> networks.
> > > >
> > > > There are already some issues open to limit some XSS and similar
> > access:
> > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > >
> > > > Uwe
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > To: general@lucene.apache.org
> > > > > Subject: XSS Issue
> > > > >
> > > > > Dear Solr project members,
> > > > >
> > > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> > > > version of
> > > > > Solr.
> > > > >
> > > > > How can I give you more details?
> > > > >
> > > > > Regards,
> > > > >
> > > > > --
> > > > > Grégory Draperi
> > > >
> > > >
> > >
> > >
> > > --
> > > Grégory Draperi
> >
> >
> 
> 
> --
> Grégory Draperi


Mime
View raw message