[jira] Created: (SOLR-74) Cross-site scripting vulnerabilities

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] Created: (SOLR-74) Cross-site scripting vulnerabilities

Hudson (Jira)
Cross-site scripting vulnerabilities
------------------------------------

                 Key: SOLR-74
                 URL: http://issues.apache.org/jira/browse/SOLR-74
             Project: Solr
          Issue Type: Bug
          Components: web gui
            Reporter: Erik Hatcher


There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  

For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>

These need to be modified to HTML escape the values rather than directly outputting the exact values.

The other affected JSP pages: action.jsp and get-file.jsp

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-74) Cross-site scripting vulnerabilities

Hudson (Jira)
    [ http://issues.apache.org/jira/browse/SOLR-74?page=comments#action_12454244 ]
           
Brian Chess commented on SOLR-74:
---------------------------------

Two problems in action.jsp:
100 <td>
101 <%= action %><br>
102 </td>

108 <td>
109 <%= enableActionStatus %><br>
110 </td>


One in get-file.jsp:
59 out.println("Permission denied for file "+ fname);

Three in analysis.jsp:
64 <td>
65 <input class="std" name="name" type="text" value="<%= name %>">
66 </td>

80 <td>
81 <textarea class="std" rows="3" cols="70" name="val"><%= val %></textarea>
82 </td>

92 <td>
93 <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
94 </td>
95 </tr>




> Cross-site scripting vulnerabilities
> ------------------------------------
>
>                 Key: SOLR-74
>                 URL: http://issues.apache.org/jira/browse/SOLR-74
>             Project: Solr
>          Issue Type: Bug
>          Components: web gui
>            Reporter: Erik Hatcher
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  
> For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values.
> The other affected JSP pages: action.jsp and get-file.jsp

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (SOLR-74) Cross-site scripting vulnerabilities

Hudson (Jira)
In reply to this post by Hudson (Jira)
    [ http://issues.apache.org/jira/browse/SOLR-74?page=comments#action_12455075 ]
           
Otis Gospodnetic commented on SOLR-74:
--------------------------------------

analysis.jsp is getting changed in SOLR-58, so the last 3 CSS issues will be taken care of there.

> Cross-site scripting vulnerabilities
> ------------------------------------
>
>                 Key: SOLR-74
>                 URL: http://issues.apache.org/jira/browse/SOLR-74
>             Project: Solr
>          Issue Type: Bug
>          Components: web gui
>            Reporter: Erik Hatcher
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  
> For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values.
> The other affected JSP pages: action.jsp and get-file.jsp

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] Assigned: (SOLR-74) Cross-site scripting vulnerabilities

Hudson (Jira)
In reply to this post by Hudson (Jira)
     [ http://issues.apache.org/jira/browse/SOLR-74?page=all ]

Hoss Man reassigned SOLR-74:
----------------------------

    Assignee: Hoss Man

> Cross-site scripting vulnerabilities
> ------------------------------------
>
>                 Key: SOLR-74
>                 URL: http://issues.apache.org/jira/browse/SOLR-74
>             Project: Solr
>          Issue Type: Bug
>          Components: web gui
>            Reporter: Erik Hatcher
>         Assigned To: Hoss Man
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  
> For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values.
> The other affected JSP pages: action.jsp and get-file.jsp

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] Resolved: (SOLR-74) Cross-site scripting vulnerabilities

Hudson (Jira)
In reply to this post by Hudson (Jira)
     [ http://issues.apache.org/jira/browse/SOLR-74?page=all ]

Hoss Man resolved SOLR-74.
--------------------------

    Resolution: Fixed

I made the neccessary changes to action.jsp, and analysis.jsp as well (since the analysys.jsp changes in SOLR-58 were rolled back recently)

i didn't modify get-file.jsp -- it's mime type is explicitly text/plain, so there's nothing to escape.

> Cross-site scripting vulnerabilities
> ------------------------------------
>
>                 Key: SOLR-74
>                 URL: http://issues.apache.org/jira/browse/SOLR-74
>             Project: Solr
>          Issue Type: Bug
>          Components: web gui
>            Reporter: Erik Hatcher
>         Assigned To: Hoss Man
>
> There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.  
> For example, in analysis.jsp:  <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>
> These need to be modified to HTML escape the values rather than directly outputting the exact values.
> The other affected JSP pages: action.jsp and get-file.jsp

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira