couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From eric casteleijn <>
Subject Re: Futon cannot use the RESTful HTTP API
Date Fri, 19 Feb 2010 16:21:33 GMT
On 02/19/2010 06:43 AM, Florian Weimer wrote:
> * Paul Davis:
>> Do you have any examples of how other sites have protected against
>> this? Unless I'm missing something I don't see how this is specific to
>> Futon so surely someone else has some explicit documentation on how to
>> avoid such things.
> The standard countermeasure puts session identifiers into URLs
> (sometimes they are called "form tokens", but this doesn't fit the
> context here).
> Upon login, the client could specify if it wants a session with or
> without form tokens.


is a pretty thorough resource.

One of the first discoveries of the vulnerability was in Zope back in 
2000. AFAIK, the issue has still not been fixed there (although it has 
been in some CMSes built on top of Zope), which tells you something 
about Zope, but also about how exploitable this bug is:

You need to target a specific site that you know is running a particular 
back end, craft a POST url that will do something nasty, and then trick 
someone with admin privileges into clicking that link, while being 
logged in to the targeted site as admin.

I'm not saying it shouldn't be fixed, (with nonce tokens in any form 
that does something potentially dangerous, as Florian says) but it's not 
threat level 'change underwear'.

eric 'someday soon I'll write a whole mail without mentioning the good 
old days of Zope' casteleijn

View raw message