[CKAN-Security] Solr query injection issue

• Next message: [CKAN-Security] Solr query injection issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is possible to list private datasets and their description by injecting
extra SOLR parameters.

For example:
http://demo.ckan.org/dataset?q=&res_format=CSV%22%20/*&sort=score+desc%2C+metadata_modified+desc

The parameter res_format with value CSV" /* doesn't get escaped properly
which makes SOLR ignore the filter queries that are defined after it. Since
res_format is added to the filter query (fq) first and "capacity" is added
after it, "capacity" will be ignored which will return private datasets.

I have submitted a pull request https://github.com/ckan/ckan/pull/3433
which adds the "capacity" filter query first and then adds all the user
defined filter queries.

This has been tested on SOLR 5.5.0 version where the exploit works. On SOLR
5.3.1 the exploit doesn't work, SOLR returns a bad request error because it
can't parse the query string.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170210/00c54a81/attachment.html>

• Next message: [CKAN-Security] Solr query injection issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]