| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Jan 2013 11:05:54 +0100
From: Jan Lehnardt <jan@...che.org>
To: "user@...chdb.apache.org" <user@...chdb.apache.org>,
"security@...chdb.apache.org" <security@...chdb.apache.org>,
"security@...che.org" <security@...che.org>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI
CVE-2012-5650
DOM based Cross-Site Scripting via Futon UI
Affected Versions:
Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0
are vulnerable.
Description:
Query parameters passed into the browser-based test suite are not sanitised,
and can be used to load external resources. An attacker may execute JavaScript
code in the browser, using the context of the remote user.
Mitigation:
Upgrade to a supported release that includes this fix, such as Apache
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix.
Work-Around:
Disable the Futon user interface completely, by adapting `local.ini` and
restarting CouchDB:
[httpd_global_handlers]
_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
Or by removing the UI test suite components:
share/www/verify_install.html
share/www/couch_tests.html
share/www/custom_test.html
Acknowledgement:
This vulnerability was discovered & reported to the Apache Software Foundation
by Frederik Braun https://frederik-braun.com/
Jan Lehnardt
--
Powered by blists - more mailing lists