Information disclosure via unescaped backslashes in URLs on Windows Affected Versions: All Windows-based releases of Apache CouchDB, up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable. Description: A specially crafted request could be used to access content directly that would otherwise be protected by inbuilt CouchDB security mechanisms. This request could retrieve in binary form any CouchDB database, including the _users or _replication databases, or any other file that the user account used to run CouchDB might have read access to on the local filesystem. This exploit is due to a vulnerability in the included MochiWeb HTTP library. Mitigation: Upgrade to a supported release that includes this fix, such as CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix for the MochiWeb component. Work-Around: Users may simply exclude any file-based web serving components directly within their configuration file, typically in `local.ini`. On a default CouchDB installation, this requires amending the `favicon.ico` and `_utils` lines within `[httpd_global_handlers]`: [httpd_global_handlers] favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} If additional handlers have been added, such as to support Adobe's Flash `crossdomain.xml` files, these would also need to be excluded. Acknowledgement: The issue was found and reported by Sriram Melkote to the upstream MochiWeb project. References: https://github.com/melkote/mochiweb/commit/ac2bf Jan Lehnardt