lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: XSS Issue
Date Tue, 18 Jun 2013 15:05:33 GMT
Hi Grégory,

Solr should be always only listen on private networks, never make it accessible to the internet.
This is officially documented; for more Information about this, see: http://wiki.apache.org/solr/SolrSecurity
Solr uses HTTP as its programming API and you can do everything Java allows via HTTP, but
HTTP does not mean it must be open to the internet. By opening a Solr server to the internet
you are somehow wrapping everything Java allows to the internet, so it is not recommeneded.
Solr also has no security features at all; managing this is all up to the front-end, sitting
on internet or insecure networks.

There are already some issues open to limit some XSS and similar access: https://issues.apache.org/jira/browse/SOLR-4882

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 3:13 PM
> To: general@lucene.apache.org
> Subject: XSS Issue
> 
> Dear Solr project members,
> 
> I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 version of
> Solr.
> 
> How can I give you more details?
> 
> Regards,
> 
> --
> Grégory Draperi


Mime
View raw message