couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Hammant <hamm...@apache.org>
Subject Re: ransom note - couchdb exploit / privilege escalation ?
Date Fri, 20 Jan 2017 11:49:22 GMT
>
> tee-hee, that was my wishful thinking, less actual planning :)
>
> As usual, there is no estimate for now.
>

Don't worry - my open source commitments slip by five years at a time, but
I thought I'd ask just in case.

It might be better to focus on a series of post-install scripts for 2.x
that lock down a couch.

I was *very* excited by my first (and more or less only) exposure to
CouchDB for - http://paulhammant.com/2015/12/21/angular-and-svg-and-couchdb.
As part of that I wanted to make it easy for the reader to turn on CORS:

perl -p -i -e 's/;enable_cors/enable_cors/'
/usr/local/etc/couchdb/default.ini
perl -p -i -e 's/enable_cors = false/enable_cors = true/'
/usr/local/etc/couchdb/default.ini
perl -p -i -e 's/;origins/origins/' /usr/local/etc/couchdb/default.ini
perl -p -i -e 's/origins = /origins = */' /usr/local/etc/couchdb/default.ini
perl -p -i -e 's/origins = \*\*/origins = */'
/usr/local/etc/couchdb/default.ini


That's to turn on CORS (CouchDB v1.6.x), for the blog entry.

I'll bet that it's only another eight "one-liners" (Perl or not) to go
SSL-only, cancel the AdminParty, and generate a unique admin password.

- Paul

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message