couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: Futon cannot use the RESTful HTTP API
Date Wed, 17 Feb 2010 21:46:51 GMT
Florian,

Do you have any examples of how other sites have protected against
this? Unless I'm missing something I don't see how this is specific to
Futon so surely someone else has some explicit documentation on how to
avoid such things.

Thanks,
Paul Davis

On Wed, Feb 17, 2010 at 3:34 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Jan Lehnardt:
>
>> thanks for reporting this, but I'm not I understand what's supposed to be
>> going on. Can I ask you to explain in a little more detail what your concerns
>> are?
>
> If you have an open Futon session, any web site you visit can write to
> the Futon database, provided that the URL to the CouchDB instance is
> known.  This is because browsers do not prevent cross-domain POST
> requests using XMLHttpRequest.  The Futon session cookie will not be
> transmitted by some browsers due to the HttpOnly flag.  (Regular
> form-based POSTs not appear to work as the content type is not
> correct.)
>
> Anyone who can write to the CouchDB instance can upload an HTML
> document which contains embedded Javascript as an attachment to a
> document which is reachable with a fixed URL.  If a Futon user loads
> this document accidentally (or loading it is forced by a malicous web
> page that is displayed with an open Futon session), the Javascript
> executes with full access to the database (read and write access,
> including PUT etc. methods).  This risk also exists if the browser
> supports HttpOnly cookies.
>
> Is this description more clear?
>

Mime
View raw message