search

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
Apache License 2.0
877 stars 177 forks source link

PRP: Request Apache Solr RemoteStreaming Arbitrary File Reading and SSRF #173

Closed C4o closed 2 years ago

C4o commented 3 years ago

Hi there,

I would like to contribute the implementation for a plugin that detects Apache Solr RemoteStreaming Arbitrary File Reading and SSRF. This vulnerability is found by QAX CERT from China, and it still works in offcial docker images of latest version and solr refused to fix it. PoC is like a plugin of yours SolrVelocityTemplateRceDetector.java.

Vulnerability details:

Score: HIGH

References: https://github.com/vulhub/vulhub/tree/master/solr/Remote-Streaming-Fileread https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ

The vulnerability should be remotely exploitable without authentication and user interaction. Yes, with default offcial solr docker image.

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes.

The vulnerability should have a relatively large impact radius. Yes.

Please let me know if this is in scope as I've already made the development .

Thanks, C4o

C4o commented 3 years ago

docker run -p 8983:8983 -t solr:latest

magl0 commented 3 years ago

Hi @C4o,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Since you submitted multiple requests, let's work on one issue at a time to ensure the quality of the detector!

Thanks!

magl0 commented 2 years ago

Hi @C4o,

Your PR has been merged. This usually means a reward will be granted :) Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!

C4o commented 2 years ago

Thank you!

C4o commented 2 years ago

Hi @magl0, cause this PR is done, could I start another issue from #193 or #174 ?

magl0 commented 2 years ago

I've accepted another request! :)

C4o commented 2 years ago

Hi @magl0 , could I know how's the QC process going? Cause I am not notified yet. And BTW, the PR of #174 is nearly done, may I start another one from below lists?

208

205

204

magl0 commented 2 years ago

Sorry for the late reply! It was Thanksgiving holiday last week and our team members, including myself, were on vacation. You should've been notified on the final decision now. We'll catch up with the reviews.

C4o commented 2 years ago

Hi @magl0 , I've been notified. Thanks. And BTW, the PR of #174 is nearly done, may I start another one from below lists?

208