Issue: elastic search server (port:9200) is prone to the XSS
Environment: RHEL 5.10
The elastic search server fails to adequately sanitize request strings of
So, an attacker may be able to cause arbitrary HTML and script code to be
executed in a user's browser within the security context of the affected
The request string used to detect this flaw was :
The output was :
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=UTF-8
No handler found for this uri
[/scripts/uw12snbk.asp?] and method [GET]
So, Is there a Elastic Search server configuration which can prevent XSS?
which can provide proper handler message instead of 400 Bad Request in the
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/93657597-9cb9-4e87-b7cf-d97d2ba113bf%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.