CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via
CVE-2012-5650=20
DOM based Cross-Site Scripting via Futon UI
Affected Versions:
Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0=20
are vulnerable.
Description:
Query parameters passed into the browser-based test suite are not =
sanitised,
and can be used to load external resources. An attacker may execute =
JavaScript
code in the browser, using the context of the remote user.
Mitigation:
Upgrade to a supported release that includes this fix, such as Apache
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix.
Work-Around:
Disable the Futon user interface completely, by adapting `local.ini` and
restarting CouchDB:
[httpd_global_handlers]
_utils =3D {couch_httpd_misc_handlers, handle_welcome_req, =
<<"Forbidden">>}
Or by removing the UI test suite components:
share/www/verify_install.html
share/www/couch_tests.html
share/www/custom_test.html
Acknowledgement:
This vulnerability was discovered & reported to the Apache Software =
Foundation
by Frederik Braun https://frederik-braun.com/
Jan Lehnardt
--=20