Apache CouchDB Information disclosure (Windows)

2013-01-14 / 2014-03-19
Credit: Jan Lehnardt
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Information disclosure via unescaped backslashes in URLs on Windows Affected Versions: All Windows-based releases of Apache CouchDB, up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable. Description: A specially crafted request could be used to access content directly that would otherwise be protected by inbuilt CouchDB security mechanisms. This request could retrieve in binary form any CouchDB database, including the _users or _replication databases, or any other file that the user account used to run CouchDB might have read access to on the local filesystem. This exploit is due to a vulnerability in the included MochiWeb HTTP library. Mitigation: Upgrade to a supported release that includes this fix, such as CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix for the MochiWeb component. Work-Around: Users may simply exclude any file-based web serving components directly within their configuration file, typically in `local.ini`. On a default CouchDB installation, this requires amending the `favicon.ico` and `_utils` lines within `[httpd_global_handlers]`: [httpd_global_handlers] favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} If additional handlers have been added, such as to support Adobe's Flash `crossdomain.xml` files, these would also need to be excluded. Acknowledgement: The issue was found and reported by Sriram Melkote to the upstream MochiWeb project. References: https://github.com/melkote/mochiweb/commit/ac2bf Jan Lehnardt

References:

https://github.com/melkote/mochiweb/commit/ac2bf


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top