I just had my site scanned and I noticed some strange errors that were triggered. When my scanner supplied the following search text (minus the quotes):
"X-CRLF-Safe-9b4de84877858f2fe7b59d6da03dbaa819ae590be0f88b961ae8d36f09fab4e5: no"
the cfsearch tag through the following exception:
"Error executing query : undefined field X-CRLF-Safe-9b4de84877858f2fe7b59d6da03dbaa819ae590be0f88b961ae8d36f09fab4e5"
To me this appears to be a SQL injection vulnerability in SOLR or the CFSEARCH tag. I can duplicate this on both CF10 and CF11. Ideas? Is this a known vulnerability? Is there a fix?
My CFSEARCH tag is coded as follows:
<cfsearch name="qSearch" collection="myCollection" criteria="#FORM.searchText#" contextbytes="300" />