couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Fwd: CVE-2012-5641 Apache CouchDB Information disclosure via unescaped backslashes in URLs on Windows
Date Mon, 14 Jan 2013 10:32:40 GMT

Begin forwarded message:

> From: Jan Lehnardt <jan@apache.org>
> Subject: CVE-2012-5641 Apache CouchDB Information disclosure via unescaped backslashes
in URLs on Windows 
> Date: January 14, 2013 11:05:52 GMT+01:00
> To: user@couchdb.apache.org, security@couchdb.apache.org, security@apache.org, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com
> Reply-To: security@couchdb.apache.org
> Reply-To: "security@couchdb.apache.org" <security@couchdb.apache.org>
> 
> CVE-2012-5641
> 
> Information disclosure via unescaped backslashes in URLs on Windows
> 
> Affected Versions:
> All Windows-based releases of Apache CouchDB, up to and including
> 1.0.3, 1.1.1, and 1.2.0 are vulnerable.
> 
> Description:
> A specially crafted request could be used to access content directly that
> would otherwise be protected by inbuilt CouchDB security mechanisms. This
> request could retrieve in binary form any CouchDB database, including the
> _users or _replication databases, or any other file that the user account
> used to run CouchDB might have read access to on the local filesystem. This
> exploit is due to a vulnerability in the included MochiWeb HTTP library.
> 
> Mitigation:
> Upgrade to a supported release that includes this fix, such as
> CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
> include a specific fix for the MochiWeb component.
> 
> Work-Around:
> Users may simply exclude any file-based web serving components directly 
> within their configuration file, typically in `local.ini`. On a default 
> CouchDB installation, this requires amending the `favicon.ico` and
> `_utils` lines within `[httpd_global_handlers]`:
> 
>    [httpd_global_handlers]
>    favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
>    _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
> 
> If additional handlers have been added, such as to support Adobe's Flash
> `crossdomain.xml` files, these would also need to be excluded.
> 
> Acknowledgement:
> The issue was found and reported by Sriram Melkote to the upstream MochiWeb
> project.
> 
> References:
> https://github.com/melkote/mochiweb/commit/ac2bf
> 
> Jan Lehnardt
> -- 
> 


Mime
View raw message