lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gregory draperi <gregory.drap...@gmail.com>
Subject Re: XSS Issue
Date Tue, 18 Jun 2013 16:43:18 GMT
Yes, it works because it exploits a CSRF issue and in my opinion it should
also be fixed like XSS vulnerabilities in the application.

I think we don't understand each other.

I'm going to send details to the private mailing list and I won't waste
your time more.

Regards,


2013/6/18 Uwe Schindler <uwe@thetaphi.de>

> Have fun with this web page:
>
> http://www.thetaphi.de/nukeyoursolrindex.html
>
> It really works, if you have a default Solr instance running on your local
> machine on default port with default collection, and you open this web page
> -> this nukes your index. This has nothing to do with the Admin interface.
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > Sent: Tuesday, June 18, 2013 6:27 PM
> > To: general
> > Subject: Re: XSS Issue
> >
> > This is a Cross-Site Request Forgery issue (not a XSS) and should be
> fixed by
> > example by adding an impredictible parameter to the request.
> >
> > I'm going to send to private@lucene.apache.org what I have found.
> >
> > Best regards,
> >
> > Grégory
> >
> > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> >
> > > Just to show this without the admin interface: Add these two images to
> > > any web page like this:
> > >
> > > <img src="
> > >
> > http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%3E
> > %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > > />
> > > <img src="
> > >
> > http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/%3
> > E"
> > > />
> > >
> > > Anybody who visits this web page would nuke the index of his running
> > > solr server on the local machine - there is not even the admin web
> > > interface involved. Any REST API on earth has this problem, it is not
> > > specific to Solr!
> > >
> > > Uwe
> > >
> > > -----
> > > Uwe Schindler
> > > H.-H.-Meier-Allee 63, D-28213 Bremen
> > > http://www.thetaphi.de
> > > eMail: uwe@thetaphi.de
> > >
> > >
> > > > -----Original Message-----
> > > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > > To: general@lucene.apache.org
> > > > Cc: 'gregory draperi'
> > > > Subject: RE: XSS Issue
> > > >
> > > > Hi,
> > > >
> > > > you can of course send your investigation to
> > > > private@lucene.apache.org,
> > > we
> > > > greatly appreciate this.
> > > > An XSS problem in the Solr Admin interface can for sure be solved
> > > somehow,
> > > > but would not help to make Solr secure. Without the admin interface
> > > > you
> > > can
> > > > still add some image into any web page that executes a "delete whole
> > > index
> > > > request" on the Solr server.
> > > >
> > > > If you want to prevent this, you can add HTTP basic authentication
> > > > to
> > > your
> > > > web container, as described in the solr wiki.
> > > >
> > > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > > extra
> > > security
> > > > group to your cloud and limit all access from outside. Then also no
> > > admin can
> > > > access this.
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > > To: Uwe Schindler
> > > > > Cc: general
> > > > > Subject: Re: XSS Issue
> > > > >
> > > > > Yes he can do that but as I said the same problem can occur without
> > > > > his consent (and without a click) if he's on an arbitrary website
> > > > > which hosts a HTML IMG pointing to the vulnerable page of the solr
> > > > > administrator interface (like <IMG
> > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > > >
> > > > > I'm thankful for your quick responses despite I don't understand
> this
> > > > > philosophy. I note the point.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Grégory DRAPERI
> > > > >
> > > > >
> > > > > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> > > > >
> > > > > > He can also delete his whole index with a single click on a
http
> > > > > > link referring to his Solr server. This is his problem. Never
> click
> > > > > > on links from eMail.
> > > > > > Solr is, as said already, not secured at all. If you want a
> "secure"
> > > > > > Solr server, rewrite the whole thing. The same applies to other
> > > > > > Lucene based products like ElasticSearch that have no "security"
> > > included.
> > > > > >
> > > > > > -----
> > > > > > Uwe Schindler
> > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > eMail: uwe@thetaphi.de
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > > To: Uwe Schindler
> > > > > > > Cc: general
> > > > > > > Subject: Re: XSS Issue
> > > > > > >
> > > > > > > Hi Uwe,
> > > > > > >
> > > > > > > Thank you for your quick response.
> > > > > > >
> > > > > > > I'm a little bit surprised because XSS is not a problem
of
> making
> > > > > > > solr
> > > > > > accessible
> > > > > > > or not to Internet because this a reflected XSS. If an
> > > administrator
> > > > > > receives a
> > > > > > > mail with a malicious link pointing to the solr administrator
> > > > > > > interface
> > > > > > and
> > > > > > > containing a malicious payload he will execute the JavaScript
> if he
> > > > > > clicks on it.
> > > > > > >
> > > > > > > There also others techniques that can be used to make an
solr
> > > > > > administrator
> > > > > > > executing this link without his consent (HTML IMG TAG pointing
> to
> > > > > > > the
> > > > > > solr
> > > > > > > administration interface and hosted on a malicious website)
>  and
> > > > > > > that
> > > > > > will
> > > > > > > bypass network based protection.
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Grégory DRAPERI
> > > > > > >
> > > > > > >
> > > > > > > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> > > > > > >
> > > > > > > > Hi Grégory,
> > > > > > > >
> > > > > > > > Solr should be always only listen on private networks,
never
> make
> > > > > > > > it accessible to the internet. This is officially
> documented; for
> > > > > > > > more Information about this, see:
> > > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > > Solr uses HTTP as its programming API and you can
do
> everything
> > > > > > > > Java allows via HTTP, but HTTP does not mean it must
be open
> to
> > > > > > > > the internet. By opening a Solr server to the internet
you
> are
> > > > > > > > somehow wrapping everything Java allows to the internet,
so
> it is
> > > > > > > > not recommeneded. Solr also has no security features
at all;
> > > > > > > > managing this is all up to the front-end, sitting
on
> internet or
> > > insecure
> > > > > networks.
> > > > > > > >
> > > > > > > > There are already some issues open to limit some XSS
and
> similar
> > > > > > access:
> > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > > >
> > > > > > > > Uwe
> > > > > > > >
> > > > > > > > -----
> > > > > > > > Uwe Schindler
> > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > > To: general@lucene.apache.org
> > > > > > > > > Subject: XSS Issue
> > > > > > > > >
> > > > > > > > > Dear Solr project members,
> > > > > > > > >
> > > > > > > > > I think I have found a XSS (Cross-Site Scripting)
issue in
> the
> > > 3.6.2
> > > > > > > > version of
> > > > > > > > > Solr.
> > > > > > > > >
> > > > > > > > > How can I give you more details?
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Grégory Draperi
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Grégory Draperi
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Grégory Draperi
> > >
> > >
> >
> >
> > --
> > Grégory Draperi
>
>


-- 
Grégory Draperi

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message