Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 50059 invoked from network); 28 Jan 2011 21:23:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 28 Jan 2011 21:23:17 -0000 Received: (qmail 4285 invoked by uid 500); 28 Jan 2011 21:23:15 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 3862 invoked by uid 500); 28 Jan 2011 21:23:14 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 3823 invoked by uid 99); 28 Jan 2011 21:23:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Jan 2011 21:23:14 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [80.244.253.218] (HELO mail.traeumt.net) (80.244.253.218) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Jan 2011 21:23:08 +0000 Received: from dahlia.local (p5799EAF2.dip.t-dialin.net [87.153.234.242]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.traeumt.net (Postfix) with ESMTPSA id 53CDD3C29C; Fri, 28 Jan 2011 22:22:46 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1082) Subject: CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue From: Jan Lehnardt Date: Fri, 28 Jan 2011 22:22:45 +0100 Cc: user@couchdb.apache.org, security@couchdb.apache.org, security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Content-Transfer-Encoding: 7bit Message-Id: To: dev@couchdb.apache.org X-Mailer: Apple Mail (2.1082) CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache CouchDB 0.8.0 to 1.0.1 Description: Apache CouchDB versions prior to version 1.0.2 are vulnerable to cross site scripting (XSS) attacks. Mitigation: All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes Example: Due to inadequate validation of request parameters and cookie data in Futon, CouchDB's web-based administration UI, a malicious site can execute arbitrary code in the context of a user's browsing session. Credit: This XSS issue was discovered by a source that wishes to stay anonymous. References: http://couchdb.apache.org/downloads.html http://wiki.apache.org/couchdb/Breaking_changes http://en.wikipedia.org/wiki/Cross-site_scripting Jan Lehnardt --