17.2. CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack

17.2. CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack

Date:
21.02.2010
Affected:
——-
Apache CouchDB 0.8.0 to 0.11.1
Severity:
——-
Important
Vendor:
——-
The Apache Software Foundation

17.2.1. Description

Apache CouchDB versions prior to version 0.11.1 arevulnerable to Cross Site Request Forgery (CSRF) attacks.

17.2.2. Mitigation

All users should upgrade to CouchDB 0.11.2or 1.0.1.

Upgrades from the 0.11.x and0.10.x series should be seamless.

Users on earlier versions should consult with upgrade notes.

17.2.3. Example

A malicious website can POST arbitrary JavaScript code to wellknown CouchDB installation URLs (like http://localhost:5984/)and make the browser execute the injected JavaScript in thesecurity context of CouchDB’s admin interface Futon.

Unrelated, but in addition the JSONP API has been turned offby default to avoid potential information leakage.

17.2.4. Credit

This CSRF issue was discovered by a source that wishes to stayanonymous.

原文: http://docs.couchdb.org/en/stable/cve/2010-2234.html