Full Disclosure mailing list archives
CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI
From: Jan Lehnardt <jan () apache org>
Date: Mon, 14 Jan 2013 11:05:54 +0100
CVE-2012-5650 DOM based Cross-Site Scripting via Futon UI Affected Versions: Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable. Description: Query parameters passed into the browser-based test suite are not sanitised, and can be used to load external resources. An attacker may execute JavaScript code in the browser, using the context of the remote user. Mitigation: Upgrade to a supported release that includes this fix, such as Apache CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix. Work-Around: Disable the Futon user interface completely, by adapting `local.ini` and restarting CouchDB: [httpd_global_handlers] _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} Or by removing the UI test suite components: share/www/verify_install.html share/www/couch_tests.html share/www/custom_test.html Acknowledgement: This vulnerability was discovered & reported to the Apache Software Foundation by Frederik Braun https://frederik-braun.com/ Jan Lehnardt -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI Jan Lehnardt (Jan 14)