Protection against cross scripting attacks (xss) in Elastic Search server?

Elastic Stack Elasticsearch
2

I'm not sure on the official stance for this sort of thing, but 0.19.X is
pretty old (nearly 18 months,
Elasticsearch Platform — Find real-time answers at scale | Elastic) and you'd be better off
upgrading than expecting a quick fix.

Maybe one of the devs can give some better insight though.

Regards,
Mark Walkom

Infrastructure Engineer
Campaign Monitor
email: markw@campaignmonitor.com
web: www.campaignmonitor.com

On 16 December 2013 18:09, Chethan B D chethan.bd@enhancesys.com wrote:

Hi All,

Issue: Elasticsearch server (port:9200) is prone to the XSS
vulnerability.

*version: *0.19.8

Environment: RHEL 5.10

Vulnerability Description:
The Elasticsearch server fails to adequately sanitize request strings of
malicious JavaScript.
So, an attacker may be able to cause arbitrary HTML and script code to be
executed in a user's browser within the security context of the affected
site.

The request string used to detect this flaw was :
/scripts/uw12snbk.asp?

The output was :

HTTP/1.1 400 Bad Request
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=UTF-8
Content-Length: 108

No handler found for this uri
[/scripts/uw12snbk.asp?] and method [GET]

So, Is there a Elastic Search server configuration which can prevent XSS?
which can provide proper handler message instead of 400 Bad Request in
the response.

BR,
Chethan

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/93657597-9cb9-4e87-b7cf-d97d2ba113bf%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEM624btDmGJ2ftC8-nVSQjZWSik5sj7aJyzH126fUXqWSo_8A%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.