incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Carey" <paul.p.ca...@gmail.com>
Subject Security via probability
Date Tue, 07 Oct 2008 23:35:26 GMT
My webapp PUTs data to a url like /controller/couchdb_db_doc_id. The
associated action currently performs no security checks. Specifically,
it doesn't ensure that the user making the PUT request and modifying
the data actually owns the associated document.

Given a uuid as a doc id, the chances of guessing a doc id are very
low indeed; successfully guessing a typical user's password would be
much easier. In order for an attack to be successful the attacker
would have to first guess a document id - extremely unlikely. This
leads me to believe that I don't *need* to perform any security checks
when modifying a document as described above. Any thoughts to the
contrary?

Cheers

Paul

Mime
View raw message