Information disclosure via unescaped backslashes in URLs on Windows
Affected Versions:
All Windows-based releases of Apache CouchDB, up to and including
1.0.3, 1.1.1, and 1.2.0 are vulnerable.
Description:
A specially crafted request could be used to access content directly that
would otherwise be protected by inbuilt CouchDB security mechanisms. This
request could retrieve in binary form any CouchDB database, including the
_users or _replication databases, or any other file that the user account
used to run CouchDB might have read access to on the local filesystem. This
exploit is due to a vulnerability in the included MochiWeb HTTP library.
Mitigation:
Upgrade to a supported release that includes this fix, such as
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix for the MochiWeb component.
Work-Around:
Users may simply exclude any file-based web serving components directly
within their configuration file, typically in `local.ini`. On a default
CouchDB installation, this requires amending the `favicon.ico` and
`_utils` lines within `[httpd_global_handlers]`:
[httpd_global_handlers]
favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
If additional handlers have been added, such as to support Adobe's Flash
`crossdomain.xml` files, these would also need to be excluded.
Acknowledgement:
The issue was found and reported by Sriram Melkote to the upstream MochiWeb
project.
References:
https://github.com/melkote/mochiweb/commit/ac2bf
Jan Lehnardt