Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

CVE-2012-5641 Apache CouchDB Information disclosure via unescaped backslashes in URLs on Windows

$
0
0

CVE-2012-5641

Information disclosure via unescaped backslashes in URLs on Windows

Affected Versions:
All Windows-based releases of Apache CouchDB, up to and including
1.0.3, 1.1.1, and 1.2.0 are vulnerable.

Description:
A specially crafted request could be used to access content directly that
would otherwise be protected by inbuilt CouchDB security mechanisms. This
request could retrieve in binary form any CouchDB database, including the
_users or _replication databases, or any other file that the user account
used to run CouchDB might have read access to on the local filesystem. This
exploit is due to a vulnerability in the included MochiWeb HTTP library.

Mitigation:
Upgrade to a supported release that includes this fix, such as
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix for the MochiWeb component.

Work-Around:
Users may simply exclude any file-based web serving components directly
within their configuration file, typically in `local.ini`. On a default
CouchDB installation, this requires amending the `favicon.ico` and
`_utils` lines within `[httpd_global_handlers]`:

    [httpd_global_handlers]
    favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
    _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

If additional handlers have been added, such as to support Adobe's Flash
`crossdomain.xml` files, these would also need to be excluded.

Acknowledgement:
The issue was found and reported by Sriram Melkote to the upstream MochiWeb
project.

References:
https://github.com/melkote/mochiweb/commit/ac2bf

Jan Lehnardt
--




//The information contained within this publication is

//supplied "as-is"with no warranties or guarantees of fitness

//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts

//responsibility for any damage caused by the use or misuse of

//this information



Viewing all articles
Browse latest Browse all 8064

Trending Articles