couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Weimer ...@deneb.enyo.de>
Subject Re: Futon cannot use the RESTful HTTP API
Date Wed, 17 Feb 2010 20:34:20 GMT
* Jan Lehnardt:

> thanks for reporting this, but I'm not I understand what's supposed to be
> going on. Can I ask you to explain in a little more detail what your concerns
> are?

If you have an open Futon session, any web site you visit can write to
the Futon database, provided that the URL to the CouchDB instance is
known.  This is because browsers do not prevent cross-domain POST
requests using XMLHttpRequest.  The Futon session cookie will not be
transmitted by some browsers due to the HttpOnly flag.  (Regular
form-based POSTs not appear to work as the content type is not
correct.)

Anyone who can write to the CouchDB instance can upload an HTML
document which contains embedded Javascript as an attachment to a
document which is reachable with a fixed URL.  If a Futon user loads
this document accidentally (or loading it is forced by a malicous web
page that is displayed with an open Futon session), the Javascript
executes with full access to the database (read and write access,
including PUT etc. methods).  This risk also exists if the browser
supports HttpOnly cookies.

Is this description more clear?

Mime
View raw message