Hi Uwe, Thank you for your quick response.
I'm a little bit surprised because XSS is not a problem of making solr accessible or not to Internet because this a reflected XSS. If an administrator receives a mail with a malicious link pointing to the solr administrator interface and containing a malicious payload he will execute the JavaScript if he clicks on it. There also others techniques that can be used to make an solr administrator executing this link without his consent (HTML IMG TAG pointing to the solr administration interface and hosted on a malicious website) and that will bypass network based protection. Regards, Grégory DRAPERI 2013/6/18 Uwe Schindler <[email protected]> > Hi Grégory, > > Solr should be always only listen on private networks, never make it > accessible to the internet. This is officially documented; for more > Information about this, see: http://wiki.apache.org/solr/SolrSecurity > Solr uses HTTP as its programming API and you can do everything Java > allows via HTTP, but HTTP does not mean it must be open to the internet. By > opening a Solr server to the internet you are somehow wrapping everything > Java allows to the internet, so it is not recommeneded. Solr also has no > security features at all; managing this is all up to the front-end, sitting > on internet or insecure networks. > > There are already some issues open to limit some XSS and similar access: > https://issues.apache.org/jira/browse/SOLR-4882 > > Uwe > > ----- > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: [email protected] > > > > -----Original Message----- > > From: gregory draperi [mailto:[email protected]] > > Sent: Tuesday, June 18, 2013 3:13 PM > > To: [email protected] > > Subject: XSS Issue > > > > Dear Solr project members, > > > > I think I have found a XSS (Cross-Site Scripting) issue in the 3.6.2 > version of > > Solr. > > > > How can I give you more details? > > > > Regards, > > > > -- > > Grégory Draperi > > -- Grégory Draperi
