exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache CouchDB 1.0.3 / 1.1.1 / 1.2.0 Cross Site Scripting

Apache CouchDB 1.0.3 / 1.1.1 / 1.2.0 Cross Site Scripting
Posted Jan 14, 2013
Authored by Jan Lehnardt | Site couchdb.apache.org

Apache CouchDB versions up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable to a DOM based cross site scripting issue.

tags | advisory, xss
advisories | CVE-2012-5650
SHA-256 | c4a4d0ab65eac5dc5149ee6760f776cab2bbc0d6b3d641a0e367abd408c3dd9f

Apache CouchDB 1.0.3 / 1.1.1 / 1.2.0 Cross Site Scripting

Change Mirror Download
CVE-2012-5650 

DOM based Cross-Site Scripting via Futon UI

Affected Versions:
Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0
are vulnerable.

Description:
Query parameters passed into the browser-based test suite are not sanitised,
and can be used to load external resources. An attacker may execute JavaScript
code in the browser, using the context of the remote user.

Mitigation:
Upgrade to a supported release that includes this fix, such as Apache
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix.

Work-Around:
Disable the Futon user interface completely, by adapting `local.ini` and
restarting CouchDB:

[httpd_global_handlers]
_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

Or by removing the UI test suite components:

share/www/verify_install.html
share/www/couch_tests.html
share/www/custom_test.html

Acknowledgement:
This vulnerability was discovered & reported to the Apache Software Foundation
by Frederik Braun https://frederik-braun.com/

Jan Lehnardt
--
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close