lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn Heisey <>
Subject Re: SOLR Security - Displaying endpoints to public
Date Mon, 06 Jan 2014 18:37:30 GMT
On 1/6/2014 11:18 AM, Shawn Heisey wrote:
> Even if you disable admin handlers so that it's impossible to gather 
> full information about your schema and other settings, generating 
> legitimate queries is probably enough for an attacker to get the 
> information they need.

Self-replying on this point: If you *don't* disable admin handlers, an 
attacker would also be able to simply unload the core and ask Solr to 
delete it from disk.

A side effect of disabling admin handlers is that the admin UI won't 
work either.  In terms of security hardening, that's a good thing ... 
but it makes it *very* difficult to gather useful information about your 
installation's health.


View raw message