Hi. At the moment I am playing around a bit with Apache Solr with an focus on security. I found one very strange "feature" that allows to inject any text you want including xml into the response of a query.
Running the example installation that comes with Solr you can test the following queries: http://localhost:8983/solr/select?q=*&hl.simple.pre=%3Cmyxml%3EThis%20is% 20injected%20content%3C/myxml%3E http://localhost:8983/solr/select?q=*&hl.simple.pre=%3C/str%3E%3C/lst%3E% 3C/lst%3E%3Cresult%20name=%22response%22%20numfound=%220%22%20start=%220% 22/%3E >From what I have seen at least the two parameters "hl.simple.post" and "hl.simple.pre" are affected. I am now asking myself why would someone implement such a bloodcurdling vulnerability into a web service? Until now I haven't found an exploit using the parameters in a way an attacker would get an advantage. But the way those parameters are implemented raise some doubts on my side if security has been seriously taken into account while implementing Solr... Best Regards, Jan Peter Stotz
