On 1/6/2014 10:55 AM, Developer wrote:
We are currently showing the SOLR endpoints to the public when using our
application (public users would be able to view the SOLR endpoints (/select)
and the query in debugging console).
I am trying to figure out if there is any security threat in terms of
displaying the endpoints directly in internet. We have disabled the update
handler in production so I assume writes / updates are not possible.
The below URL mentions a point 'Solr does not concern itself with security
either at the document level or the communication level. It is strongly
recommended that the application server containing Solr be firewalled such
the only clients with access to Solr are your own.'
Is the above statement true even if we just display the read-only endpoints
to the public users? Can someone please advise?
Without an application between the public and Solr that sanitizes user
input, an attacker can send denial of service queries to your Solr
instance that will cause it to spin so hard it can't serve regular
queries. We can't block such things in server code, because sometimes
such queries *are* legitimate, they just take a lot of resources and
time to complete.
Even if you disable admin handlers so that it's impossible to gather
full information about your schema and other settings, generating
legitimate queries is probably enough for an attacker to get the
information they need.
If your design is such that client-side scripting handles almost
everything, you probably need to set up a proxy in front of Solr that's
configured to deny things that look suspicious. I do not know of any
publicly available proxy configurations like this, and I have never come
across any private ones either.
Thanks,
Shawn
