[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1386585251.27758.0.camel@banzai>
Date: Mon, 09 Dec 2013 11:34:11 +0100
From: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Vulnerabilities in Apache Solr < 4.6.0
Hello,
Apache Solr is search platform edited by the Apache project. Quoting
http://lucene.apache.org/solr/:"its major features include powerful
full-text search, hit highlighting, faceted search, near real-time
indexing, dynamic clustering, database integration, rich document (e.g.,
Word, PDF) handling, and geospatial search".
Several vulnerabilities were fixed in recent versions of Solr:
- directory traversal when using XSLT or Velocity templates
(CVE-2013-6397 / SOLR-4882)
- XXE in UpdateRequestHandler (CVE-2013-6407 / SOLR-3895)
- XXE in DocumentAnalysisRequestHandler (CVE-2013-6408 / SOLR-4881)
These vulnerabilities were confirmed to be exploitable also on old
versions like 3.6.2. Gaining remote code execution is easy by combining
the directory traversal and XXE vulnerabilities.
If you wonder how these vulnerabilities could be exploited in real life
setups when Solr isn't reachable directly from the Internet, you may be
interested in the following blog post:
http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html
Cheers,
Nicolas Grégoire
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists