lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernd Fehling <bernd.fehl...@uni-bielefeld.de>
Subject Re: display SOLR Query in web page
Date Wed, 22 Aug 2012 14:20:49 GMT
I haven't spent time in trying anything, just entered a query and recognized
that it showed up in the page source view.
If they really escape everything it is not that dangerous?

Actually I don't want to try anything with their page,
they might not have any humor ;-)

Bernd


Am 22.08.2012 15:41, schrieb Michael Della Bitta:
> Actually, I'm having a little trouble coming up with a
> proof-of-concept exploit for this... it doesn't seem like Solr is
> exposed directly, and it does seem like it's escaping submitted
> content before redisplaying it on the page.
> 
> I'm not crazy about leaking the raw query string into the HTML, but it
> doesn't seem to lead to more than just that.
> 
> Please let me know if I am missing something, it's still morningtime
> here in the US and I haven't had enough coffee yet. :)
> 
> Michael Della Bitta
> 
> ------------------------------------------------
> Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017
> www.appinions.com
> Where Influence Isn’t a Game
> 
> 
> On Wed, Aug 22, 2012 at 9:32 AM, Michael Della Bitta
> <michael.della.bitta@appinions.com> wrote:
>> Ouch, not to mention the potential for XSS.
>>
>> I'll see if I can get in touch with someone.
>>
>> Michael Della Bitta
>>
>> ------------------------------------------------
>> Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017
>> www.appinions.com
>> Where Influence Isn’t a Game
>>
>>
>> On Wed, Aug 22, 2012 at 3:40 AM, Bernd Fehling
>> <bernd.fehling@uni-bielefeld.de> wrote:
>>> Now this is very scary, while searching for "solr direct access per docid" I
got a hit
>>> from US Homeland Security Digital Library. Interested in what they have to tell
me
>>> about my search I clicked on the link to the page. First the page had nothing
unusual
>>> about it, but why I get the hit?
>>> http://www.hsdl.org/?collection/stratpol&id=4
>>>
>>> Inspecting the page source view shows that they have the solr query displayed
direct
>>> on their page as "span" with "style=display:none".
>>> -- snippet --
>>> <!-- Search Results -->
>>>
>>> <span style="display: none;">*** SOLR Query *** &mdash; q=Collection:0
AND (TabSection:("Congressional hearings and testimony", "Congressional
>>> reports", "Congressional resolutions", "Directives (presidential)", "Executive
orders", "Major Legislation", "Public laws", "Reports (CBO)",
>>> "Reports (CHDS)", "Reports (CRS)",...
>>> ...
>>> AND (Title_nostem:("China Forces Senior Intelligence Officer")^10 AlternateTitle_nostem:("China
Forces Senior Intelligence
>>> Officer")^9)&sort=score
>>> desc&rows=30&start=0&indent=off&facet=on&facet.limit=10000&facet.mincount=1&fl=AlternateTitle_text,Collection,CoverageCountry,CoverageState,Creator_nostem,DateLastModified,DateOfRecordEntry,Description_text,DisplayDate,DocID,ExternalDocId,ExternalDocSource,FileDate,FileExtension,FileSize,FileTitle_text,Format,Language,PublishDate,Publisher_text,Publisher_nostem,ReportNumber,ResourceType,RetrievedFrom,Rights,Subjects,Source,TabSection,Title_text,URL_text,Alternate_URL_text,CreatedBy,ModifiedBy,Notes&wt=phps&facet.field=Creator&facet.field=Format&facet.field=Language&facet.field=Publisher&facet.field=TabSection</span>
>>> -- snippet --
>>>
>>> As you can see I have searched for "China Forces Senior Intelligence Officer"
so this is directly showing the
>>> query string.
>>> Do they know that there is also a delete by query?
>>> And the are also escape sequences?
>>>
>>> This is what I call scary.
>>> Maybe some of the US fellows can give them a hint and a helping hand.
>>>
>>> Regards
>>> Bernd

-- 
*************************************************************
Bernd Fehling                Universitätsbibliothek Bielefeld
Dipl.-Inform. (FH)            LibTec - Bibliothekstechnologie
Universitätsstr. 25                     und Wissensmanagement
33615 Bielefeld
Tel. +49 521 106-4060       bernd.fehling(at)uni-bielefeld.de

BASE - Bielefeld Academic Search Engine - www.base-search.net
*************************************************************

Mime
View raw message