Yes I agree the point of the "vulnerability" is that an http 1.0 request (does not require a Host header) will cause the origin to guess what it should put in the Location header. In some cases that guess is the ip of the server. In an http 1.1 or higher request the host header is used.
I don't know what it has to do with IIS or Basic auth but that cve is very very old. I can't think of a way to return a redirect without violating this condition because iirc the http spec says Location headers need to be fully qualified with protocol and host! That might not have applied in the http 1.0 days though. (Although in practice many servers return just /paths) I tried to test this through my load balancer but did not get a solr IP address because I think the lb had fixed up the headers. (https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse) imho this is a load balancer/proxy problem and not an origin problem. Solr/jetty respects a host header. You could lock it down with jetty configs. > On Apr 7, 2022, at 7:05 PM, Vincenzo D'Amore <v.dam...@gmail.com> wrote: > > I don't think this is the point and I agree that Solr should not be > accessible from the outside world but only from a restricted number of > clients. > > So in my opinion, the OP was trying to explain that, for example, if you > make an http call to solr through a reverse proxy (or a chain of) with the > path / the answer is a 302 with the ip address of the original server. > > >> On Thu, Apr 7, 2022 at 11:45 PM dmitri maziuk <dmitri.maz...@gmail.com> >> wrote: >> >>> On 2022-04-07 9:56 AM, Anchal Sharma2 wrote: >>> Hi All, >>> >>> It took me a while to get the following information about the detected >> vulnerability from the security team . >> ... >> >> Maybe you should educate them about a vulnerability in the `ping` >> command: if they ping your solr server by its name, it'll tell them the >> server's ip address. >> >> Dima >> >> >> > > -- > Vincenzo D'Amore
