17.6. CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI

17.6. CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI

Date:
14.01.2013
Affected:
——-
Apache CouchDB releases up to and including 1.0.3, 1.1.1,and 1.2.0 are vulnerable.
Severity:
——-
Moderate
Vendor:
——-
The Apache Software Foundation

17.6.1. Description

Query parameters passed into the browser-based test suite are not sanitised,and can be used to load external resources. An attacker may execute JavaScriptcode in the browser, using the context of the remote user.

17.6.2. Mitigation

Upgrade to a supported CouchDB release that includes this fix, such as:

1.0.4
1.1.2
1.2.1
1.3.x
All listed releases have included a specific fix.

17.6.3. Work-Around

Disable the Futon user interface completely, by adapting local.ini andrestarting CouchDB:

[httpd_global_handlers]
_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

Or by removing the UI test suite components:

share/www/verify_install.html
share/www/couch_tests.html
share/www/custom_test.html

17.6.4. Acknowledgement

This vulnerability was discovered & reported to the Apache Software Foundationby Frederik Braun.

原文: http://docs.couchdb.org/en/stable/cve/2012-5650.html