2.6. CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI
Date: | 14.01.2013 |
---|---|
Affected: | Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable. |
Severity: | Moderate |
Vendor: | The Apache Software Foundation |
2.6.1. Description
Query parameters passed into the browser-based test suite are not sanitised, and can be used to load external resources. An attacker may execute JavaScript code in the browser, using the context of the remote user.
2.6.2. Mitigation
Upgrade to a supported CouchDB release that includes this fix, such as:
All listed releases have included a specific fix.
2.6.3. Work-Around
Disable the Futon user interface completely, by adapting local.ini and restarting CouchDB:
[httpd_global_handlers]
_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
Or by removing the UI test suite components:
- share/www/verify_install.html
- share/www/couch_tests.html
- share/www/custom_test.html
2.6.4. Acknowledgement
This vulnerability was discovered & reported to the Apache Software Foundation by Frederik Braun.