17.4. CVE-2012-5641: Information disclosure via unescaped backslashes in URLs on Windows

Date:
14.01.2013
Affected:
——-
All Windows-based releases of Apache CouchDB, up to and including1.0.3, 1.1.1, and 1.2.0 are vulnerable.
Severity:
——-
Moderate
Vendor:
——-
The Apache Software Foundation

17.4.1. Description

A specially crafted request could be used to access content directly thatwould otherwise be protected by inbuilt CouchDB security mechanisms. Thisrequest could retrieve in binary form any CouchDB database, including theusers_ or replication_ databases, or any other file that the user accountused to run CouchDB might have read access to on the local filesystem. Thisexploit is due to a vulnerability in the included MochiWeb HTTP library.

17.4.2. Mitigation

Upgrade to a supported CouchDB release that includes this fix, such as:

17.4.3. Work-Around

Users may simply exclude any file-based web serving components directlywithin their configuration file, typically in local.ini. On a defaultCouchDB installation, this requires amending thehttpd_global_handlers/favicon.ico and httpd_global_handlers/_utils_lines within _httpd_global_handlers:

  1. [httpd_global_handlers]
  2. favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
  3. _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

If additional handlers have been added, such as to support Adobe’s Flashcrossdomain.xml files, these would also need to be excluded.

17.4.4. Acknowledgement

The issue was found and reported by Sriram Melkote to the upstream MochiWebproject.

17.4.5. References

原文: http://docs.couchdb.org/en/stable/cve/2012-5641.html