Begin forwarded message: > From: Jan Lehnardt <[email protected]> > Subject: CVE-2012-5641 Apache CouchDB Information disclosure via unescaped > backslashes in URLs on Windows > Date: January 14, 2013 11:05:52 GMT+01:00 > To: [email protected], [email protected], > [email protected], [email protected], > [email protected] > Reply-To: [email protected] > Reply-To: "[email protected]" <[email protected]> > > CVE-2012-5641 > > Information disclosure via unescaped backslashes in URLs on Windows > > Affected Versions: > All Windows-based releases of Apache CouchDB, up to and including > 1.0.3, 1.1.1, and 1.2.0 are vulnerable. > > Description: > A specially crafted request could be used to access content directly that > would otherwise be protected by inbuilt CouchDB security mechanisms. This > request could retrieve in binary form any CouchDB database, including the > _users or _replication databases, or any other file that the user account > used to run CouchDB might have read access to on the local filesystem. This > exploit is due to a vulnerability in the included MochiWeb HTTP library. > > Mitigation: > Upgrade to a supported release that includes this fix, such as > CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which > include a specific fix for the MochiWeb component. > > Work-Around: > Users may simply exclude any file-based web serving components directly > within their configuration file, typically in `local.ini`. On a default > CouchDB installation, this requires amending the `favicon.ico` and > `_utils` lines within `[httpd_global_handlers]`: > > [httpd_global_handlers] > favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, > <<"Forbidden">>} > _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} > > If additional handlers have been added, such as to support Adobe's Flash > `crossdomain.xml` files, these would also need to be excluded. > > Acknowledgement: > The issue was found and reported by Sriram Melkote to the upstream MochiWeb > project. > > References: > https://github.com/melkote/mochiweb/commit/ac2bf > > Jan Lehnardt > -- >
