TUCoPS :: Web :: Apache :: 1008-87.htm

Apache CouchDB Cross Site Request Forgery Attack
CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack
CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack


CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache CouchDB 0.8.0 to 0.11.0

Description:
Apache CouchDB versions prior to version 0.11.1 are vulnerable to
cross site request forgery (CSRF) attacks.

Mitigation:
All users should upgrade to CouchDB 0.11.2 or 1.0.1. Upgrades from 
the 0.11.x and 0.10.x series should be seamless. Users on earlier 
versions should consult 

http://wiki.apache.org/couchdb/Breaking_changes 

Example:
A malicious website can POST arbitrary JavaScript code to well
known CouchDB installation URLs (like http://localhost:5984/) 
and make the browser execute the injected JavaScript in the
security context of CouchDB's admin interface Futon.

Unrelated, but in addition the JSONP API has been turned off
by default to avoid potential information leakage.

Credit:
This CSRF issue was discovered by a source that wishes to stay 
anonymous.

References:
http://couchdb.apache.org/downloads.html 
http://wiki.apache.org/couchdb/Breaking_changes 
http://en.wikipedia.org/wiki/Cross-site_request_forgery 

Jan Lehnardt
--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH