Search string triggers: error executing query

Report · Jul 01, 2015

I just had my site scanned and I noticed some strange errors that were triggered. When my scanner supplied the following search text (minus the quotes):

"X-CRLF-Safe-9b4de84877858f2fe7b59d6da03dbaa819ae590be0f88b961ae8d36f09fab4e5: no"

the cfsearch tag through the following exception:

"Error executing query : undefined field X-CRLF-Safe-9b4de84877858f2fe7b59d6da03dbaa819ae590be0f88b961ae8d36f09fab4e5"

To me this appears to be a SQL injection vulnerability in SOLR or the CFSEARCH tag. I can duplicate this on both CF10 and CF11. Ideas? Is this a known vulnerability? Is there a fix?

My CFSEARCH tag is coded as follows:

Report · Jul 01, 2015

Are you saying you feel it’s an injection vulnerability because it threw an error? I’d think that was an indication that it caught and blocked it. Now, whether that’s intentional or not, I don’t know. I’ve not really heard about whether Solr has injection protection built-in. CF doesn’t have much in the way of it, either (cfqueryparam is not a CF feature for sql injection protection. People get that benefit as an unexpected side-effect of the tag, and too is incomplete as far as sql injection protection of cfquery goes, but that’s another thread.)

As with cfquery, I’d say that if someone is taking form fields (like you show doing) and passing that right into a cfsearch, then yep, that will open the door to a vulnerability. If there is indeed no specific injection protection in Solr (or CFsearch, and I’m not aware of any), then it would be up to you, the developer, to watch for vulnerable strings. I know that’s not an answer many will want to hear.

I’m open to being schooled if I am missing something in either Solr or CF that could help you, here. But then again, perhaps the failure of the solr search is indication that it is doing some?

/charlie

/Charlie (troubleshooter, carehart.org)

Report · Jul 02, 2015

I guess it could be considered a documentation issue (or lack thereof), but I am using the default search type (simple) and I assumed that "simple" meant simple and if I search for "foo", I'll find documents containing "foo"; if I search for "X-CRLF-Safe-9b4de84877858f2fe7b59d6da03dbaa819ae590be0f88b961ae8d36f09fab4e5: no", I would find documents containing the phrase "X-CRLF-Safe-9b4de84877858f2fe7b59d6da03dbaa819ae590be0f88b961ae8d36f09fab4e5: no". Instead I received an unexpected error for an undocumented search syntax that I was not aware I had to filter for. I still cannot find a definitive CF or SOLR search syntax with all the possible reserved words to filter against. I also have not found how to escape characters nor what characters might need escaping. This is why I classify this more as a SQL injection like vulnerability. How do I know there is not a "debug: dump_entire_collection" command or worse "execute: something.exe"?

(as you can tell, I'm the paranoid type)

Report · Nov 13, 2015

Hi Steve,

I took a look at this (thanks for sending me a link and nice talking to you at CFSummit) - so in this example it is the : colon that is triggering the exception. The colin is used for searching specific fields in solr, so you have fields such as title that could be searched as "title: something". So the error you are getting does make sense here because there is no field in the solr document matching.

You can see the syntax documented here: Adobe ColdFusion 9 * Solr search examples

So you might want to strip out colon's from your user input to avoid this.

I am sure that there could be ways to cause the search to return all results, but if you construct your search query such that whatever the user searches for is AND'ed with the filtering criteria you desire that might be a good solution as well.

Adobe Community

Search string triggers: error executing query