I haven't spent time in trying anything, just entered a query and recognized that it showed up in the page source view. If they really escape everything it is not that dangerous?
Actually I don't want to try anything with their page, they might not have any humor ;-) Bernd Am 22.08.2012 15:41, schrieb Michael Della Bitta: > Actually, I'm having a little trouble coming up with a > proof-of-concept exploit for this... it doesn't seem like Solr is > exposed directly, and it does seem like it's escaping submitted > content before redisplaying it on the page. > > I'm not crazy about leaking the raw query string into the HTML, but it > doesn't seem to lead to more than just that. > > Please let me know if I am missing something, it's still morningtime > here in the US and I haven't had enough coffee yet. :) > > Michael Della Bitta > > ------------------------------------------------ > Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017 > www.appinions.com > Where Influence Isn’t a Game > > > On Wed, Aug 22, 2012 at 9:32 AM, Michael Della Bitta > <michael.della.bi...@appinions.com> wrote: >> Ouch, not to mention the potential for XSS. >> >> I'll see if I can get in touch with someone. >> >> Michael Della Bitta >> >> ------------------------------------------------ >> Appinions | 18 East 41st St., Suite 1806 | New York, NY 10017 >> www.appinions.com >> Where Influence Isn’t a Game >> >> >> On Wed, Aug 22, 2012 at 3:40 AM, Bernd Fehling >> <bernd.fehl...@uni-bielefeld.de> wrote: >>> Now this is very scary, while searching for "solr direct access per docid" >>> I got a hit >>> from US Homeland Security Digital Library. Interested in what they have to >>> tell me >>> about my search I clicked on the link to the page. First the page had >>> nothing unusual >>> about it, but why I get the hit? >>> http://www.hsdl.org/?collection/stratpol&id=4 >>> >>> Inspecting the page source view shows that they have the solr query >>> displayed direct >>> on their page as "span" with "style=display:none". >>> -- snippet -- >>> <!-- Search Results --> >>> >>> <span style="display: none;">*** SOLR Query *** — q=Collection:0 AND >>> (TabSection:("Congressional hearings and testimony", "Congressional >>> reports", "Congressional resolutions", "Directives (presidential)", >>> "Executive orders", "Major Legislation", "Public laws", "Reports (CBO)", >>> "Reports (CHDS)", "Reports (CRS)",... >>> ... >>> AND (Title_nostem:("China Forces Senior Intelligence Officer")^10 >>> AlternateTitle_nostem:("China Forces Senior Intelligence >>> Officer")^9)&sort=score >>> desc&rows=30&start=0&indent=off&facet=on&facet.limit=10000&facet.mincount=1&fl=AlternateTitle_text,Collection,CoverageCountry,CoverageState,Creator_nostem,DateLastModified,DateOfRecordEntry,Description_text,DisplayDate,DocID,ExternalDocId,ExternalDocSource,FileDate,FileExtension,FileSize,FileTitle_text,Format,Language,PublishDate,Publisher_text,Publisher_nostem,ReportNumber,ResourceType,RetrievedFrom,Rights,Subjects,Source,TabSection,Title_text,URL_text,Alternate_URL_text,CreatedBy,ModifiedBy,Notes&wt=phps&facet.field=Creator&facet.field=Format&facet.field=Language&facet.field=Publisher&facet.field=TabSection</span> >>> -- snippet -- >>> >>> As you can see I have searched for "China Forces Senior Intelligence >>> Officer" so this is directly showing the >>> query string. >>> Do they know that there is also a delete by query? >>> And the are also escape sequences? >>> >>> This is what I call scary. >>> Maybe some of the US fellows can give them a hint and a helping hand. >>> >>> Regards >>> Bernd -- ************************************************************* Bernd Fehling Universitätsbibliothek Bielefeld Dipl.-Inform. (FH) LibTec - Bibliothekstechnologie Universitätsstr. 25 und Wissensmanagement 33615 Bielefeld Tel. +49 521 106-4060 bernd.fehling(at)uni-bielefeld.de BASE - Bielefeld Academic Search Engine - www.base-search.net *************************************************************
