| .. Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| .. use this file except in compliance with the License. You may obtain a copy of |
| .. the License at |
| .. |
| .. http://www.apache.org/licenses/LICENSE-2.0 |
| .. |
| .. Unless required by applicable law or agreed to in writing, software |
| .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| .. License for the specific language governing permissions and limitations under |
| .. the License. |
| |
| .. _cve/2012-5641: |
| |
| ================================================================================== |
| CVE-2012-5641: Information disclosure via unescaped backslashes in URLs on Windows |
| ================================================================================== |
| |
| :Date: 14.01.2013 |
| |
| :Affected: All Windows-based releases of Apache CouchDB, up to and including |
| 1.0.3, 1.1.1, and 1.2.0 are vulnerable. |
| |
| :Severity: Moderate |
| |
| :Vendor: The Apache Software Foundation |
| |
| Description |
| =========== |
| |
| A specially crafted request could be used to access content directly that |
| would otherwise be protected by inbuilt CouchDB security mechanisms. This |
| request could retrieve in binary form any CouchDB database, including the |
| `_users` or `_replication` databases, or any other file that the user account |
| used to run CouchDB might have read access to on the local filesystem. This |
| exploit is due to a vulnerability in the included MochiWeb HTTP library. |
| |
| Mitigation |
| ========== |
| |
| Upgrade to a supported CouchDB release that includes this fix, such as: |
| |
| - :ref:`1.0.4 <release/1.0.4>` |
| - :ref:`1.1.2 <release/1.1.2>` |
| - :ref:`1.2.1 <release/1.2.1>` |
| - :ref:`1.3.x <release/1.3.x>` |
| |
| All listed releases have included a specific fix for the MochiWeb component. |
| |
| Work-Around |
| =========== |
| |
| Users may simply exclude any file-based web serving components directly |
| within their configuration file, typically in `local.ini`. On a default |
| CouchDB installation, this requires amending the |
| `httpd_global_handlers/favicon.ico` and `httpd_global_handlers/_utils` |
| lines within `httpd_global_handlers`:: |
| |
| [httpd_global_handlers] |
| favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} |
| _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} |
| |
| If additional handlers have been added, such as to support Adobe's Flash |
| `crossdomain.xml` files, these would also need to be excluded. |
| |
| Acknowledgement |
| =============== |
| |
| The issue was found and reported by Sriram Melkote to the upstream MochiWeb |
| project. |
| |
| References |
| ========== |
| |
| - https://github.com/melkote/mochiweb/commit/ac2bf |