[ https://issues.apache.org/jira/browse/SOLR-5742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Uwe Schindler updated SOLR-5742: -------------------------------- Labels: security (was: ) > XSS vulnerability in Solr /admin/debug.jsp > ------------------------------------------ > > Key: SOLR-5742 > URL: https://issues.apache.org/jira/browse/SOLR-5742 > Project: Solr > Issue Type: Bug > Affects Versions: 1.4.1, 3.6.2 > Environment: Ubuntu 12.04 (x64-64) hosting the example deployment > using Jetty > Reporter: Ben Lincoln > Labels: security > > The debug.jsp file included in the example deployment package for versions > 1.4.1 and 3.6.2 contains a reflected cross-site scripting vulnerability in > the "handler" URL parameter. > E.g. > http://exampleserver:8983/solr/admin/debug.jsp?handler=<script>alert(1);</script> > This file appears to have either been removed or disabled with the 4.x > releases. > Unlike SOLR-4305, this is triggered immediately on page load and doesn't have > to be triggered as a JavaScript event-handler. -- This message was sent by Atlassian JIRA (v6.1.5#6160) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org