|
|
 |
| New User, Welcome! Login |
CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack
| From: |
Jan Lehnardt <jan apache org> |
| To: |
dev couchdb apache org |
| Cc: |
user couchdb apache org, security couchdb apache org, security apache org, full-disclosure lists grok org uk, bugtraq securityfocus com |
| Subject: |
CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack |
| Date: |
Tue - Aug 17, 2010 08:10 AM |
CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache CouchDB 0.8.0 to 0.11.0
Description:
Apache CouchDB versions prior to version 0.11.1 are vulnerable to
cross site request forgery (CSRF) attacks.
Mitigation:
All users should upgrade to CouchDB 0.11.2 or 1.0.1. Upgrades from
the 0.11.x and 0.10.x series should be seamless. Users on earlier
versions should consult
http://wiki.apache.org/couchdb/Breaking_changes
Example:
A malicious website can POST arbitrary JavaScript code to well
known CouchDB installation URLs (like http://localhost:5984/)
and make the browser execute the injected JavaScript in the
security context of CouchDB's admin interface Futon.
Unrelated, but in addition the JSONP API has been turned off
by default to avoid potential information leakage.
Credit:
This CSRF issue was discovered by a source that wishes to stay
anonymous.
References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Jan Lehnardt
--
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
