lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandre Rafalovitch (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-9790) Thers is a xss issue in schema-browser page of old.html
Date Tue, 22 Nov 2016 22:01:58 GMT

    [ https://issues.apache.org/jira/browse/SOLR-9790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15688040#comment-15688040
] 

Alexandre Rafalovitch commented on SOLR-9790:
---------------------------------------------

I'll look into this, though the Admin UI should not be exposed to the non-trusted users in
the first place. Direct Solr access means indexes can be modified or deleted with a URL call,
no need for XSS.

> Thers is a xss issue in schema-browser page of old.html
> -------------------------------------------------------
>
>                 Key: SOLR-9790
>                 URL: https://issues.apache.org/jira/browse/SOLR-9790
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: web gui
>    Affects Versions: 6.2.1
>            Reporter: liuyang
>            Assignee: Alexandre Rafalovitch
>            Priority: Minor
>
> In Solr Admin Web UI click "original UI", and then input a url like "https://127.0.0.1:8986/solr/old.html#/testxss_shard1_replica1/schema-browser?field=<script>alert(123456)</script>;"
to the browser address, you will get alert box with "123456".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message