couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Fwd: CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI
Date Mon, 14 Jan 2013 10:32:46 GMT


Begin forwarded message:

> From: Jan Lehnardt <jan@apache.org>
> Subject: CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI
> Date: January 14, 2013 11:05:54 GMT+01:00
> To: "user@couchdb.apache.org" <user@couchdb.apache.org>, "security@couchdb.apache.org"
<security@couchdb.apache.org>, "security@apache.org" <security@apache.org>, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com
> Reply-To: security@couchdb.apache.org
> Reply-To: "security@couchdb.apache.org" <security@couchdb.apache.org>
> 
> CVE-2012-5650 
> 
> DOM based Cross-Site Scripting via Futon UI
> 
> Affected Versions:
> Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 
> are vulnerable.
> 
> Description:
> Query parameters passed into the browser-based test suite are not sanitised,
> and can be used to load external resources. An attacker may execute JavaScript
> code in the browser, using the context of the remote user.
> 
> Mitigation:
> Upgrade to a supported release that includes this fix, such as Apache
> CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
> include a specific fix.
> 
> Work-Around:
> Disable the Futon user interface completely, by adapting `local.ini` and
> restarting CouchDB:
> 
>    [httpd_global_handlers]
>    _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
> 
> Or by removing the UI test suite components:
> 
>    share/www/verify_install.html
>    share/www/couch_tests.html
>    share/www/custom_test.html
> 
> Acknowledgement:
> This vulnerability was discovered & reported to the Apache Software Foundation
> by Frederik Braun https://frederik-braun.com/
> 
> Jan Lehnardt
> -- 
> 


Mime
View raw message