Actually, I'm having a little trouble coming up with a proof-of-concept exploit for this... it doesn't seem like Solr is exposed directly, and it does seem like it's escaping submitted content before redisplaying it on the page.
I'm not crazy about leaking the raw query string into the HTML, but it doesn't seem to lead to more than just that. Please let me know if I am missing something, it's still morningtime here in the US and I haven't had enough coffee yet. :) Michael Della Bitta ------------------------------------------------ Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017 www.appinions.com Where Influence Isn’t a Game On Wed, Aug 22, 2012 at 9:32 AM, Michael Della Bitta <michael.della.bi...@appinions.com> wrote: > Ouch, not to mention the potential for XSS. > > I'll see if I can get in touch with someone. > > Michael Della Bitta > > ------------------------------------------------ > Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017 > www.appinions.com > Where Influence Isn’t a Game > > > On Wed, Aug 22, 2012 at 3:40 AM, Bernd Fehling > <bernd.fehl...@uni-bielefeld.de> wrote: >> Now this is very scary, while searching for "solr direct access per docid" I >> got a hit >> from US Homeland Security Digital Library. Interested in what they have to >> tell me >> about my search I clicked on the link to the page. First the page had >> nothing unusual >> about it, but why I get the hit? >> http://www.hsdl.org/?collection/stratpol&id=4 >> >> Inspecting the page source view shows that they have the solr query >> displayed direct >> on their page as "span" with "style=display:none". >> -- snippet -- >> <!-- Search Results --> >> >> <span style="display: none;">*** SOLR Query *** — q=Collection:0 AND >> (TabSection:("Congressional hearings and testimony", "Congressional >> reports", "Congressional resolutions", "Directives (presidential)", >> "Executive orders", "Major Legislation", "Public laws", "Reports (CBO)", >> "Reports (CHDS)", "Reports (CRS)",... >> ... >> AND (Title_nostem:("China Forces Senior Intelligence Officer")^10 >> AlternateTitle_nostem:("China Forces Senior Intelligence >> Officer")^9)&sort=score >> desc&rows=30&start=0&indent=off&facet=on&facet.limit=10000&facet.mincount=1&fl=AlternateTitle_text,Collection,CoverageCountry,CoverageState,Creator_nostem,DateLastModified,DateOfRecordEntry,Description_text,DisplayDate,DocID,ExternalDocId,ExternalDocSource,FileDate,FileExtension,FileSize,FileTitle_text,Format,Language,PublishDate,Publisher_text,Publisher_nostem,ReportNumber,ResourceType,RetrievedFrom,Rights,Subjects,Source,TabSection,Title_text,URL_text,Alternate_URL_text,CreatedBy,ModifiedBy,Notes&wt=phps&facet.field=Creator&facet.field=Format&facet.field=Language&facet.field=Publisher&facet.field=TabSection</span> >> -- snippet -- >> >> As you can see I have searched for "China Forces Senior Intelligence >> Officer" so this is directly showing the >> query string. >> Do they know that there is also a delete by query? >> And the are also escape sequences? >> >> This is what I call scary. >> Maybe some of the US fellows can give them a hint and a helping hand. >> >> Regards >> Bernd
