On Aug 25, 2010, at 9:05 AM, J Chris Anderson wrote: > > On Aug 25, 2010, at 4:06 AM, Nils Breunese wrote: > >> Wout Mertens wrote: >> >>> On Aug 25, 2010, at 9:44 , Nils Breunese wrote: >>> >>>> J Chris Anderson wrote: >>>> >>>>> You also need to activate JSONP in the configuration. It's off by >>>>> default because it is insecure. >>>> >>>> What exactly is insecure about having JSONP enabled? >>> >>> I'm guessing that JSONP "feels" insecure. > > with JSONP on by default, anyone can write mashups leaking information from > couchdb to code on another site. it's not anything you couldn't read directly > with curl or by browsing to the couchdb, but you could potentially use it to > make an attackers site look customized by listing the users personal > information from a well-known couchdb document.
Also, for a read-secured database with a user or admin logged in, JSONP makes it possible to steal private data on hostile webpages. Using JSONP, hostile webpages can make GET calls to the CouchDB database with the user's logged-in credentials and load the otherwise secured information to the users browser and then send it back to the hostile server. -Damien > >>> >>> The excellent exploit prevention course from Google mentions it as >>> something to avoid: >>> >>> "There's a variation of JSON called JSONP which you should avoid using >>> because it allows script injection by design." >>> – http://google-gruyere.appspot.com/part3, under the last "Exploit and Fix" >>> section. >> >> I guess there is no risk for CouchDB itself, right? All CouchDB is doing is >> wrapping the resulting output with "foo(" and ");". It's the caller that >> needs to handle the response properly. CouchDB 0.10.1 doesn't have the JSONP >> setting yet and has it enabled by default, so I can't disable it anyway at >> the moment. :o) >> >> Nils. >> >> De informatie vervat in deze e-mail en meegezonden bijlagen is uitsluitend >> bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie >> bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking >> van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO >> staat niet in voor de juiste en volledige overbrenging van de inhoud van een >> verzonden e-mail, noch voor tijdige ontvangst daarvan. >
