Input Validation / Apache Solr Local Parameter Injection
Apache Solr local parameter injection is an input validation vulnerability (CWE-20) which occurs when user input is not properly sanitized and validated. This vulnerability can be exploited to inject local parameters into the application, which can then be used to execute malicious code on the server. This vulnerability is most commonly found in web applications which use Apache Solr search engine. As defined in the OWASP Testing Guide, it is a type of attack which exploits a vulnerability in the search engine to inject malicious code into the application.
The risk associated with Apache Solr local parameter injection is high as it can be used to gain access to sensitive data and execute malicious code on the server. This can have serious consequences, including data loss, system compromise and unauthorized access to the server.
The best way to prevent Apache Solr local parameter injection is to ensure that all user input is properly sanitized and validated. This can be done by using the OWASP ESAPI library to validate user input and prevent malicious code from being injected into the application. Additionally, the web application should be configured to use a secure authentication mechanism such as HTTP authentication or form-based authentication.
Example The following code example is taken from the CVE-2017-12629 vulnerability:
This code is an example of a malicious query which can be used to inject malicious code into the application.