[
https://issues.apache.org/jira/browse/SOLR-7966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14710218#comment-14710218
]
Uwe Schindler commented on SOLR-7966:
-------------------------------------
Hi Yonik, good idea. This should be possible with a simple ServletFilter adding
the header before delegating (I think Jetty has one available). Otherwise just
set the header in SolrDispatchFilter if URI path matches admin interface.
In general, I don't think this is a big problem. OK, one could create a webpage
and include a frame/iframe with http://localhost:8983/solr/admin into a web
page and browser would load that, but its unlikely that this wil cause any harm.
I think what we would really need is to send some header to prevent Solr's
RequestHandlers to be loaded as images or scripts into HTML - unfortunately
there is no header for that (and it won't work because the action is done
already after the HTTP request). Simple example is the web page I always show
to my customers: http://www.thetaphi.de/nukeyoursolrindex.html (this loads the
update handler, sends a delete xml body via url param, to the default core, by
a simple GET request, triggered through an {{<img src=.../>}} in the HTML).
FYI: This no longer works with Solr 5, because we no longer have a default
core, but you can easily modify the IMG element in this page :-)
> Solr Admin pages should set X-Frame-Options to DENY
> ---------------------------------------------------
>
> Key: SOLR-7966
> URL: https://issues.apache.org/jira/browse/SOLR-7966
> Project: Solr
> Issue Type: Bug
> Reporter: Yonik Seeley
> Priority: Trivial
>
> Security scan software reported that Solr's admin interface is vulnerable to
> clickjacking, which is fixable with the X-Frame-Options HTTP header.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
