lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Potter (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (SOLR-7346) Stored XSS in Admin UI Schema-Browser page and Analysis page
Date Mon, 06 Apr 2015 16:52:12 GMT

     [ https://issues.apache.org/jira/browse/SOLR-7346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Timothy Potter resolved SOLR-7346.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 5.1
                   Trunk
         Assignee: Timothy Potter

Thanks for your contribution Mei.

> Stored XSS in Admin UI Schema-Browser page and Analysis page
> ------------------------------------------------------------
>
>                 Key: SOLR-7346
>                 URL: https://issues.apache.org/jira/browse/SOLR-7346
>             Project: Solr
>          Issue Type: Bug
>          Components: UI
>    Affects Versions: 4.10.2, 5.0
>         Environment: linux x86_64
> jdk 1.7.0.75
> apache tomcat-7.0.57
> solr 5.0.0
>            Reporter: Mei Wang
>            Assignee: Timothy Potter
>              Labels: patch, security
>             Fix For: Trunk, 5.1
>
>   Original Estimate: 96h
>  Remaining Estimate: 96h
>
> Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser page and
Analysis page, which was caused by  improper validation of user-supplied input, for example,
create fields by Schema API.  When the Schema-Browser page or Analysis page url is clicked,
 an XSS will be triggered. An attacker could use this vulnerability to steal the victim's
cookie-based authentication credentials. 
> patch for solr5.0.0
> {noformat}
> solr/webapp/web/js/scripts/schema-browser.js
>     --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
> +++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
> @@ -596,7 +596,7 @@
>                      {
>                        fields.push
>                        (
> -                        '<option value="?field=' + field_name + '">' + field_name
+ '</option>'
> +                        '<option value="?field=' + field_name.esc() + '">' + field_name.esc()
+ '</option>'
>                        );
>                      }
>                      if( 0 !== fields.length )
> solr/webapp/web/js/scripts/analysis.js
> --- analysis.js 2015-04-03 14:22:34.000000000 +0800
> +++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
> @@ -80,7 +80,7 @@
>                {
>                  fields.push
>                  (
> -                  '<option value="fieldname=' + field_name + '">' + field_name
+ '</option>'
> +                  '<option value="fieldname=' + field_name.esc() + '">' + field_name.esc()
+ '</option>'
>                  );
>                }
>                if( 0 !== fields.length )
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message