2.4. CVE-2012-5641: Information disclosure via unescaped backslashes in URLs on Windows

Date:14.01.2013
Affected:All Windows-based releases of Apache CouchDB, up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable.
Severity:Moderate
Vendor:The Apache Software Foundation

2.4.1. Description

A specially crafted request could be used to access content directly that would otherwise be protected by inbuilt CouchDB security mechanisms. This request could retrieve in binary form any CouchDB database, including the _users or _replication databases, or any other file that the user account used to run CouchDB might have read access to on the local filesystem. This exploit is due to a vulnerability in the included MochiWeb HTTP library.

2.4.2. Mitigation

Upgrade to a supported CouchDB release that includes this fix, such as:

All listed releases have included a specific fix for the MochiWeb component.

2.4.3. Work-Around

Users may simply exclude any file-based web serving components directly within their configuration file, typically in local.ini. On a default CouchDB installation, this requires amending the httpd_global_handlers/favicon.ico and httpd_global_handlers/_utils lines within httpd_global_handlers:

  1. [httpd_global_handlers]
  2. favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
  3. _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

If additional handlers have been added, such as to support Adobe’s Flash crossdomain.xml files, these would also need to be excluded.

2.4.4. Acknowledgement

The issue was found and reported by Sriram Melkote to the upstream MochiWeb project.

2.4.5. References