On Sep 20, 2011, at 04:33 , Jan Peter Stotz wrote:
I am now asking myself why would someone implement such a bloodcurdling vulnerability into a web service? Until now I haven't found an exploit using the parameters in a way an attacker would get an advantage. But the way those parameters are implemented raise some doubts on my side if security has been seriously taken into account while implementing Solr...
Solr committers can correct me if I'm wrong, but my impression is that the Solr API itself is generally _not_ intended to be exposed to the world. It's expected to be protected behind a firewall, accessed by trusted applications.
People periodically post to this list planning on exposing it to the world anyway; but my impression is there may be all kinds of security problems there, as well as DoS possibilities, etc.
So I think it may be safe to say that security has not been seriously taken into account -- if you mean security on a Solr instance which has it's entire API exposed publically to the world. I don't think that's the intended use case.
