Re: svn commit: r481116 - in /incubator/solr/trunk: CHANGES.txt src/webapp/resources/admin/form.jsp src/webapp/resources/admin/index.jsp

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r481116 - in /incubator/solr/trunk: CHANGES.txt src/webapp/resources/admin/form.jsp src/webapp/resources/admin/index.jsp

Erik Hatcher

On Nov 30, 2006, at 7:16 PM, [hidden email] wrote:
> + <textarea rows="5" cols="60" name="q"><%= defaultSearch %></
> textarea>

keep in mind that when data a user could enter in an HTTP request is  
spit directly back out without escaping, a cross-site security  
vulnerability may be possible.  i didn't analyze this particular one,  
but if defaultSearch is an HTTP request parameter, then you could  
have trouble.  try submitting defaultSearch as this, for example:

        </textarea><script language="javascript">alert('gotcha!');</script>

Erik

Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r481116 - in /incubator/solr/trunk: CHANGES.txt src/webapp/resources/admin/form.jsp src/webapp/resources/admin/index.jsp

Chris Hostetter-3

: keep in mind that when data a user could enter in an HTTP request is
: spit directly back out without escaping, a cross-site security
: vulnerability may be possible.  i didn't analyze this particular one,
: but if defaultSearch is an HTTP request parameter, then you could
: have trouble.  try submitting defaultSearch as this, for example:

defaultSearch comes from the solr config ... you're right it should be
escaped, I'll go do that now, but it's not really a security issue.

(It's been echoed like that on index.jsp since inception)


-Hoss