lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gregory draperi <gregory.drap...@gmail.com>
Subject Re: XSS Issue
Date Tue, 18 Jun 2013 15:46:18 GMT
Yes he can do that but as I said the same problem can occur without his
consent (and without a click) if he's on an arbitrary website which hosts a
HTML IMG pointing to the vulnerable page of the solr administrator
interface (like <IMG src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )

I'm thankful for your quick responses despite I don't understand this
philosophy. I note the point.

Regards,

Grégory DRAPERI


2013/6/18 Uwe Schindler <uwe@thetaphi.de>

> He can also delete his whole index with a single click on a http link
> referring to his Solr server. This is his problem. Never click on links
> from eMail.
> Solr is, as said already, not secured at all. If you want a "secure" Solr
> server, rewrite the whole thing. The same applies to other Lucene based
> products like ElasticSearch that have no "security" included.
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 5:26 PM
> > To: Uwe Schindler
> > Cc: general
> > Subject: Re: XSS Issue
> >
> > Hi Uwe,
> >
> > Thank you for your quick response.
> >
> > I'm a little bit surprised because XSS is not a problem of making solr
> accessible
> > or not to Internet because this a reflected XSS. If an administrator
> receives a
> > mail with a malicious link pointing to the solr administrator interface
> and
> > containing a malicious payload he will execute the JavaScript if he
> clicks on it.
> >
> > There also others techniques that can be used to make an solr
> administrator
> > executing this link without his consent (HTML IMG TAG pointing to the
> solr
> > administration interface and hosted on a malicious website)  and that
> will
> > bypass network based protection.
> >
> > Regards,
> >
> > Grégory DRAPERI
> >
> >
> > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> >
> > > Hi Grégory,
> > >
> > > Solr should be always only listen on private networks, never make it
> > > accessible to the internet. This is officially documented; for more
> > > Information about this, see: http://wiki.apache.org/solr/SolrSecurity
> > > Solr uses HTTP as its programming API and you can do everything Java
> > > allows via HTTP, but HTTP does not mean it must be open to the
> > > internet. By opening a Solr server to the internet you are somehow
> > > wrapping everything Java allows to the internet, so it is not
> > > recommeneded. Solr also has no security features at all; managing this
> > > is all up to the front-end, sitting on internet or insecure networks.
> > >
> > > There are already some issues open to limit some XSS and similar
> access:
> > > https://issues.apache.org/jira/browse/SOLR-4882
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > > http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > To: general@lucene.apache.org
> > > > Subject: XSS Issue
> > > >
> > > > Dear Solr project members,
> > > >
> > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2
> > > version of
> > > > Solr.
> > > >
> > > > How can I give you more details?
> > > >
> > > > Regards,
> > > >
> > > > --
> > > > Grégory Draperi
> > >
> > >
> >
> >
> > --
> > Grégory Draperi
>
>


-- 
Grégory Draperi

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message