incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Is the CouchDB users database secure?
Date Tue, 16 Jul 2013 23:09:23 GMT
The _users database is not so open since our 1.2.0 release. A user can
only see their own document. Even before this you could only see
password hashes, but we agreed even this was too much to show.

B.


On 17 July 2013 00:08, Oliver Schmidt <spiollinux@googlemail.com> wrote:
> While reading the Kan.so docs (
> http://kan.so/docs/The_users_database ) I saw
> that the users database, which includes
> username and password, is publicly accessible
> for everyone. Couldn't an attacker use this to
> create a list of all username-password pairs?
> Wouldn't it be more secure to use a server side
> function which validates the password without
> giving the users db directly to everyone? Or am I
> just too paranoid?
>
> Regards

Mime
View raw message