atom feed1 message in org.apache.couchdb.userCVE-2012-5641 Apache CouchDB Informat...
FromSent OnAttachments
Jan LehnardtJan 14, 2013 2:05 am 
Subject:CVE-2012-5641 Apache CouchDB Information disclosure via unescaped backslashes in URLs on Windows
From:Jan Lehnardt (ja@apache.org)
Date:Jan 14, 2013 2:05:29 am
List:org.apache.couchdb.user

CVE-2012-5641

Information disclosure via unescaped backslashes in URLs on Windows

Affected Versions: All Windows-based releases of Apache CouchDB, up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable.

Description: A specially crafted request could be used to access content directly that would otherwise be protected by inbuilt CouchDB security mechanisms. This request could retrieve in binary form any CouchDB database, including the _users or _replication databases, or any other file that the user account used to run CouchDB might have read access to on the local filesystem. This exploit is due to a vulnerability in the included MochiWeb HTTP library.

Mitigation: Upgrade to a supported release that includes this fix, such as CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix for the MochiWeb component.

Work-Around: Users may simply exclude any file-based web serving components directly within their configuration file, typically in `local.ini`. On a default CouchDB installation, this requires amending the `favicon.ico` and `_utils` lines within `[httpd_global_handlers]`:

[httpd_global_handlers] favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req,
<<"Forbidden">>} _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

If additional handlers have been added, such as to support Adobe's Flash `crossdomain.xml` files, these would also need to be excluded.

Acknowledgement: The issue was found and reported by Sriram Melkote to the upstream MochiWeb project.

References: https://github.com/melkote/mochiweb/commit/ac2bf