[jira] [Updated] (SOLR-7346) Stored XSS in Admin UI Schema-Browser page and Analysis page

Fri, 03 Apr 2015 12:56:16 -0700 

     [ 
https://issues.apache.org/jira/browse/SOLR-7346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Rowe updated SOLR-7346:
-----------------------------
    Description: 
Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser 
page and Analysis page, which was caused by  improper validation of 
user-supplied input, for example, create fields by Schema API.  When the 
Schema-Browser page or Analysis page url is clicked,  an XSS will be triggered. 
An attacker could use this vulnerability to steal the victim's cookie-based 
authentication credentials. 
patch for solr5.0.0
{noformat}
solr/webapp/web/js/scripts/schema-browser.js
    --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
+++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
@@ -596,7 +596,7 @@
                     {
                       fields.push
                       (
-                        '<option value="?field=' + field_name + '">' + 
field_name + '</option>'
+                        '<option value="?field=' + field_name.esc() + '">' + 
field_name.esc() + '</option>'
                       );
                     }
                     if( 0 !== fields.length )

solr/webapp/web/js/scripts/analysis.js
--- analysis.js 2015-04-03 14:22:34.000000000 +0800
+++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
@@ -80,7 +80,7 @@
               {
                 fields.push
                 (
-                  '<option value="fieldname=' + field_name + '">' + field_name 
+ '</option>'
+                  '<option value="fieldname=' + field_name.esc() + '">' + 
field_name.esc() + '</option>'
                 );
               }
               if( 0 !== fields.length )
{noformat}

  was:
Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser 
page and Analysis page, which was caused by  improper validation of 
user-supplied input, for example, create fields by Schema API.  When the 
Schema-Browser page or Analysis page url is clicked,  an XSS will be triggered. 
An attacker could use this vulnerability to steal the victim's cookie-based 
authentication credentials. 
patch for solr5.0.0
solr/webapp/web/js/scripts/schema-browser.js
    --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
+++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
@@ -596,7 +596,7 @@
                     {
                       fields.push
                       (
-                        '<option value="?field=' + field_name + '">' + 
field_name + '</option>'
+                        '<option value="?field=' + field_name.esc() + '">' + 
field_name.esc() + '</option>'
                       );
                     }
                     if( 0 !== fields.length )

solr/webapp/web/js/scripts/analysis.js
--- analysis.js 2015-04-03 14:22:34.000000000 +0800
+++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
@@ -80,7 +80,7 @@
               {
                 fields.push
                 (
-                  '<option value="fieldname=' + field_name + '">' + field_name 
+ '</option>'
+                  '<option value="fieldname=' + field_name.esc() + '">' + 
field_name.esc() + '</option>'
                 );
               }
               if( 0 !== fields.length )


> Stored XSS in Admin UI Schema-Browser page and Analysis page
> ------------------------------------------------------------
>
>                 Key: SOLR-7346
>                 URL: https://issues.apache.org/jira/browse/SOLR-7346
>             Project: Solr
>          Issue Type: Bug
>          Components: UI
>    Affects Versions: 4.10.2, 5.0
>         Environment: linux x86_64
> jdk 1.7.0.75
> apache tomcat-7.0.57
> solr 5.0.0
>            Reporter: Mei Wang
>              Labels: patch, security
>   Original Estimate: 96h
>  Remaining Estimate: 96h
>
> Like CVE-2014-3628 , the vulnerability also exists in Admin UI Schema-Browser 
> page and Analysis page, which was caused by  improper validation of 
> user-supplied input, for example, create fields by Schema API.  When the 
> Schema-Browser page or Analysis page url is clicked,  an XSS will be 
> triggered. An attacker could use this vulnerability to steal the victim's 
> cookie-based authentication credentials. 
> patch for solr5.0.0
> {noformat}
> solr/webapp/web/js/scripts/schema-browser.js
>     --- schema-browser.js   2015-04-03 14:42:19.000000000 +0800
> +++ schema-browser_patch.js     2015-04-03 14:42:59.000000000 +0800
> @@ -596,7 +596,7 @@
>                      {
>                        fields.push
>                        (
> -                        '<option value="?field=' + field_name + '">' + 
> field_name + '</option>'
> +                        '<option value="?field=' + field_name.esc() + '">' + 
> field_name.esc() + '</option>'
>                        );
>                      }
>                      if( 0 !== fields.length )
> solr/webapp/web/js/scripts/analysis.js
> --- analysis.js 2015-04-03 14:22:34.000000000 +0800
> +++ analysis_patch.js   2015-04-03 14:23:09.000000000 +0800
> @@ -80,7 +80,7 @@
>                {
>                  fields.push
>                  (
> -                  '<option value="fieldname=' + field_name + '">' + 
> field_name + '</option>'
> +                  '<option value="fieldname=' + field_name.esc() + '">' + 
> field_name.esc() + '</option>'
>                  );
>                }
>                if( 0 !== fields.length )
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to