Return-Path: 
 <user-return-23255-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F06CFED48
	for <apmail-couchdb-user-archive@www.apache.org>;
 Mon, 14 Jan 2013 16:15:03 +0000 (UTC)
Received: (qmail 44554 invoked by uid 500); 14 Jan 2013 16:15:02 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 44365 invoked by uid 500); 14 Jan 2013 16:15:01 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 44345 invoked by uid 99); 14 Jan 2013 16:15:01 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Jan 2013 16:15:01 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of wickedgrey@gmail.com
 designates 209.85.216.175 as permitted sender)
Received: from [209.85.216.175] (HELO mail-qc0-f175.google.com)
 (209.85.216.175)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Jan 2013 16:14:56 +0000
Received: by mail-qc0-f175.google.com with SMTP id j3so2582671qcs.6
        for <multiple recipients>; Mon, 14 Jan 2013 08:14:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=nbNtv/Bq8fIUJwG93n74qiMcdORrJ38y64SrTVf6Lao=;
        b=btPAk4h/Tlp4+qPwvUwN3Lao/vj5EgsGqmkOJVuEmF+5y3Uv6XzJiNoq03mCsJlpsL
         mk5UvjNU8ep1IP39lIQUO3q5HcMSQsGeaWXRy1BmWWu+sGZOiN+xITWgklaeKAPCyGlM
         e8sehcfzCZV4FVonvncZ4CSFdyBeq5dXB+qOfRQR4YI4a7Y8nwpmS+pvMZgbtMUBjavK
         x3ATb3HS5bhheTZs6RPL70L+ZKMnrtLjZTW6TILrr1vBbMPcRGnkn0i4anHqPyMxoXdu
         mpZnJgO1m6a8Xk9ir79QDqXojioTc+uhpUQ80lVUPgQagcElX0/j3/GG/X184ekv9C+O
         tWOA==
MIME-Version: 1.0
Received: by 10.224.222.82 with SMTP id if18mr35742271qab.9.1358180075318;
 Mon, 14 Jan 2013 08:14:35 -0800 (PST)
Received: by 10.229.141.2 with HTTP; Mon, 14 Jan 2013 08:14:35 -0800 (PST)
In-Reply-To: <2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org>
References: <2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org>
Date: Mon, 14 Jan 2013 08:14:35 -0800
Message-ID: 
 <CADa34LCBP5L-pHVHhzKvGrwwfFdgh93VOfU9BCEhw4vMkXgK+A@mail.gmail.com>
Subject: Re: CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via
 Futon UI
From: "Eli Stevens (Gmail)" <wickedgrey@gmail.com>
To: user <user@couchdb.apache.org>,
	"security@couchdb.apache.org" <security@couchdb.apache.org>
Content-Type: multipart/alternative; boundary=20cf306f7e56ee2c5904d341f070
X-Virus-Checked: Checked by ClamAV on apache.org

--20cf306f7e56ee2c5904d341f070
Content-Type: text/plain; charset=ISO-8859-1

(I've trimmed the CC list; apologies if that's incorrect)

Would it be possible to get a more complete description of this issue?

Specifically, it would be nice to get a more exact description of the
access required for an attacker to initiate the attack.  I can make some
reasonable guesses, but I would rather not rely on guesses when it comes to
issuing updates to our customers.

Thanks,
Eli


On Mon, Jan 14, 2013 at 2:05 AM, Jan Lehnardt <jan@apache.org> wrote:

> CVE-2012-5650
>
> DOM based Cross-Site Scripting via Futon UI
>
> Affected Versions:
> Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0
> are vulnerable.
>
> Description:
> Query parameters passed into the browser-based test suite are not
> sanitised,
> and can be used to load external resources. An attacker may execute
> JavaScript
> code in the browser, using the context of the remote user.
>
> Mitigation:
> Upgrade to a supported release that includes this fix, such as Apache
> CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
> include a specific fix.
>
> Work-Around:
> Disable the Futon user interface completely, by adapting `local.ini` and
> restarting CouchDB:
>
>     [httpd_global_handlers]
>     _utils = {couch_httpd_misc_handlers, handle_welcome_req,
> <<"Forbidden">>}
>
> Or by removing the UI test suite components:
>
>     share/www/verify_install.html
>     share/www/couch_tests.html
>     share/www/custom_test.html
>
> Acknowledgement:
> This vulnerability was discovered & reported to the Apache Software
> Foundation
> by Frederik Braun https://frederik-braun.com/
>
> Jan Lehnardt
> --
>
>

--20cf306f7e56ee2c5904d341f070--