lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <D105F928-15C0-403A-A958-1FD2648F5B38@apache.org>
Date: Tue, 17 Aug 2010 17:52:10 +0200
From: Jan Lehnardt <jan@...che.org>
To: dev@...chdb.apache.org
Cc: user@...chdb.apache.org, security@...chdb.apache.org,
	full-disclosure@...ts.grok.org.uk, security@...che.org,
	bugtraq@...urityfocus.com
Subject: CVE-2010-2234: Apache CouchDB Cross Site Request
	Forgery Attack

CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache CouchDB 0.8.0 to 0.11.0

Description:
Apache CouchDB versions prior to version 0.11.1 are vulnerable to
cross site request forgery (CSRF) attacks.

Mitigation:
All users should upgrade to CouchDB 0.11.2 or 1.0.1. Upgrades from 
the 0.11.x and 0.10.x series should be seamless. Users on earlier 
versions should consult 

http://wiki.apache.org/couchdb/Breaking_changes

Example:
A malicious website can POST arbitrary JavaScript code to well
known CouchDB installation URLs (like http://localhost:5984/)
and make the browser execute the injected JavaScript in the
security context of CouchDB's admin interface Futon.

Unrelated, but in addition the JSONP API has been turned off
by default to avoid potential information leakage.

Credit:
This CSRF issue was discovered by a source that wishes to stay 
anonymous.

References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_request_forgery

Jan Lehnardt
-- 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ