CVE-2012-5641 Apache CouchDB Information disclosure via unescape
CVE-2012-5641
Information disclosure via unescaped backslashes in URLs on Windows
Affected Versions:
All Windows-based releases of Apache CouchDB, up to and including
1.0.3, 1.1.1, and 1.2.0 are vulnerable.
Description:
A specially crafted request could be used to access content directly =
that
would otherwise be protected by inbuilt CouchDB security mechanisms. =
This
request could retrieve in binary form any CouchDB database, including =
the
_users or _replication databases, or any other file that the user =
account
used to run CouchDB might have read access to on the local filesystem. =
This
exploit is due to a vulnerability in the included MochiWeb HTTP library.
Mitigation:
Upgrade to a supported release that includes this fix, such as
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix for the MochiWeb component.
Work-Around:
Users may simply exclude any file-based web serving components directly=20=
within their configuration file, typically in `local.ini`. On a default=20=
CouchDB installation, this requires amending the `favicon.ico` and
`_utils` lines within `[httpd_global_handlers]`:
[httpd_global_handlers]
favicon.ico =3D {couch_httpd_misc_handlers, handle_welcome_req, =
<<"Forbidden">>}
_utils =3D {couch_httpd_misc_handlers, handle_welcome_req, =
<<"Forbidden">>}
If additional handlers have been added, such as to support Adobe's Flash
`crossdomain.xml` files, these would also need to be excluded.
Acknowledgement:
The issue was found and reported by Sriram Melkote to the upstream =
MochiWeb
project.
References:
https://github.com/melkote/mochiweb/commit/ac2bf
Jan Lehnardt
--=20