lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prafulla Kiran (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SOLR-3419) XSS vulnerability in the json.wrf parameter
Date Fri, 27 Apr 2012 12:11:51 GMT
Prafulla Kiran created SOLR-3419:
------------------------------------

             Summary: XSS vulnerability in the json.wrf parameter
                 Key: SOLR-3419
                 URL: https://issues.apache.org/jira/browse/SOLR-3419
             Project: Solr
          Issue Type: Bug
          Components: Response Writers
    Affects Versions: 3.5
            Reporter: Prafulla Kiran
            Priority: Minor


There's no filtering of the wrapper function name passed to the solr search service
If the name of the wrapper function passed to the solr query service is the following string
- 
%3C!doctype%20html%3E%3Chtml%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%281%29%22%3E%3C/body%3E%3C/html%3E

solr passes the string back as-is which results in an XSS attack in browsers like IE-7 which
perform mime-sniffing. In any case, the callback function in a jsonp response should always
be sanitized - http://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message