lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 28 Jan 2011 22:22:45 +0100
From: Jan Lehnardt <jan@...che.org>
To: dev@...chdb.apache.org
Cc: user@...chdb.apache.org, security@...chdb.apache.org,
	security@...che.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache CouchDB 0.8.0 to 1.0.1

Description:
Apache CouchDB versions prior to version 1.0.2 are vulnerable to
cross site scripting (XSS) attacks.

Mitigation:
All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x
and 0.10.x series should be seamless. Users on earlier versions 
should consult http://wiki.apache.org/couchdb/Breaking_changes

Example:
Due to inadequate validation of request parameters and cookie data in
Futon, CouchDB's web-based administration UI, a malicious site can
execute arbitrary code in the context of a user's browsing session.

Credit:
This XSS issue was discovered by a source that wishes to stay 
anonymous.

References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_scripting

Jan Lehnardt
-- 

Powered by blists - more mailing lists