Using Drupal core search form block the following input is fillter properly upon submission : <a onclick=alert(document.cookie)>. When apache solr module is enabled this input is not filtered and if you are using breadcrumb renders the malformed html resulting in a clickable html area that displays the site cookie.

Comments

mtbosworth’s picture

StatusFileSize
new25.14 KB

This patch uses the filter_xss function to scrub the search term before building the $form['#redirect'] path.

mtbosworth’s picture

StatusFileSize
new25.14 KB

I found a second instance where the $keys value needed to be scrubbed.

Michael Hofmockel’s picture

Status: Active » Needs review
StatusFileSize
new1.12 KB

The Apache solr module alone will not create this. But if the search form is inline with the breadcrumbs an open tag in the breadcrumb can wrap the form and leverage it for attack.

Although mtbosworth patch takes care of the form submission it misses the possibility of an attack directly through a URL submission. I have attached a simpler patch that address the problem earlier in the flow for all cases.

Michael Hofmockel’s picture

Status: Needs review » Closed (cannot reproduce)

I am closing this bug as I have found it to be in the custom breadcrumbs on our site. The breadcrumbs are created in some cases from the URL. Once I sanitized the breadcrumb with filter_xss, our problem was resolved in all cases. Sorry for the false alarm.

How ever it should be considered that the search inputs be sanitized prior to being incorporated into the URL. In my case arg(2) is unsanitary in the URL.

FYI
My problem was solved in template.php with the addition of filter_xss()
$breadcrumb[2] = filter_xss(arg(2),array());

hanskuiters’s picture

Version: 6.x-1.2 » 6.x-1.6
Status: Closed (cannot reproduce) » Active

Reopening this issue. Found out I can execute javascript through default search box. If I uninstall Apache Solr Search Integration, search is correct.

Code to reproduce:
<script>alert('hello');</script>

Drupal 6.20
Apache Solr 1.6

nick_vh’s picture

Status: Active » Postponed (maintainer needs more info)

Please provide us with a complete list of your contrib modules. Did you do form alters? Can you reproduce the same error on a vanilla drupal with only apachesolr?

hanskuiters’s picture

I have about 99 contributed modules, so for now I spare you the list. I did some form alters, but for the test I didn't use them. On a clean D6 install with Apache Solr, all went well. Strange thing: on Safari and Chrome (Windows) the error doesn't occure.

I'll do some debug myself before I get back.

hanskuiters’s picture

Found it. Your advice to test on a clean install did it. I also tested with Garland to rule out my theme.

I said I didn't use form alters while testing. That was right. But I did use the search query to place an extra link on the page which performs an alternate search query to an external database: "do you like to search for [search query] in publications?". And I didn't sanatize that search query. So while printing the extra line it executes the javascript. I now use filter_xss() on the search query.

nick_vh’s picture

Status: Postponed (maintainer needs more info) » Closed (fixed)

Great! Problem solved :)