Begin forwarded message:
> From: Jan Lehnardt <[email protected]> > Subject: CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via > Futon UI > Date: January 14, 2013 11:05:54 GMT+01:00 > To: "[email protected]" <[email protected]>, > "[email protected]" <[email protected]>, > "[email protected]" <[email protected]>, > [email protected], [email protected] > Reply-To: [email protected] > Reply-To: "[email protected]" <[email protected]> > > CVE-2012-5650 > > DOM based Cross-Site Scripting via Futon UI > > Affected Versions: > Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 > are vulnerable. > > Description: > Query parameters passed into the browser-based test suite are not sanitised, > and can be used to load external resources. An attacker may execute JavaScript > code in the browser, using the context of the remote user. > > Mitigation: > Upgrade to a supported release that includes this fix, such as Apache > CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which > include a specific fix. > > Work-Around: > Disable the Futon user interface completely, by adapting `local.ini` and > restarting CouchDB: > > [httpd_global_handlers] > _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} > > Or by removing the UI test suite components: > > share/www/verify_install.html > share/www/couch_tests.html > share/www/custom_test.html > > Acknowledgement: > This vulnerability was discovered & reported to the Apache Software Foundation > by Frederik Braun https://frederik-braun.com/ > > Jan Lehnardt > -- >
