couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Smith (JIRA)" <>
Subject [jira] Created: (COUCHDB-829) Denial of Service vulnerability in rewriter
Date Sun, 18 Jul 2010 17:18:49 GMT
Denial of Service vulnerability in rewriter

                 Key: COUCHDB-829
             Project: CouchDB
          Issue Type: Bug
          Components: Database Core
    Affects Versions: 1.0
         Environment: CouchDB trunk, erl R13B04
            Reporter: Jason Smith

Untrusted, unsanitized user input should not be converted to atoms because it allows the user
to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash.

If rewriting is enabled (which it is by default), and if an attacker knows a database and
ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms
into system.

I have not exhaustively audited couch_httpd_rewrite.erl but  for instance handle_rewrite_req/3
converts all URL query keys to atoms.

    [info] [<0.38.0>] Apache CouchDB has started on
    1> erlang:list_to_existing_atom("do_i_exist").   
    ** exception error: bad argument
         in function  list_to_existing_atom/1
            called as list_to_existing_atom("do_i_exist")

    $ curl -X PUT localhost:5984/ex

    $ curl -X PUT localhost:5984/ex/_design/ex -d {}

    $ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
    {"error":"rewrite_error","reason":"Invalid path."}

    2> [info] [<0.109.0>] - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah
    2> erlang:list_to_existing_atom("do_i_exist").

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message