couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Hammant <>
Subject Re: ransom note - couchdb exploit / privilege escalation ?
Date Fri, 20 Jan 2017 11:49:22 GMT
> tee-hee, that was my wishful thinking, less actual planning :)
> As usual, there is no estimate for now.

Don't worry - my open source commitments slip by five years at a time, but
I thought I'd ask just in case.

It might be better to focus on a series of post-install scripts for 2.x
that lock down a couch.

I was *very* excited by my first (and more or less only) exposure to
CouchDB for -
As part of that I wanted to make it easy for the reader to turn on CORS:

perl -p -i -e 's/;enable_cors/enable_cors/'
perl -p -i -e 's/enable_cors = false/enable_cors = true/'
perl -p -i -e 's/;origins/origins/' /usr/local/etc/couchdb/default.ini
perl -p -i -e 's/origins = /origins = */' /usr/local/etc/couchdb/default.ini
perl -p -i -e 's/origins = \*\*/origins = */'

That's to turn on CORS (CouchDB v1.6.x), for the blog entry.

I'll bet that it's only another eight "one-liners" (Perl or not) to go
SSL-only, cancel the AdminParty, and generate a unique admin password.

- Paul

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message