.. Licensed under the Apache License, Version 2.0 (the "License"); you may not .. use this file except in compliance with the License. You may obtain a copy of .. the License at .. .. http://www.apache.org/licenses/LICENSE-2.0 .. .. Unless required by applicable law or agreed to in writing, software .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the .. License for the specific language governing permissions and limitations under .. the License. .. _cve/2012-5641: ================================================================================== CVE-2012-5641: Information disclosure via unescaped backslashes in URLs on Windows ================================================================================== :Date: 14.01.2013 :Affected: All Windows-based releases of Apache CouchDB, up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable. :Severity: Moderate :Vendor: The Apache Software Foundation Description =========== A specially crafted request could be used to access content directly that would otherwise be protected by inbuilt CouchDB security mechanisms. This request could retrieve in binary form any CouchDB database, including the `_users` or `_replication` databases, or any other file that the user account used to run CouchDB might have read access to on the local filesystem. This exploit is due to a vulnerability in the included MochiWeb HTTP library. Mitigation ========== Upgrade to a supported CouchDB release that includes this fix, such as: - :ref:`1.0.4 ` - :ref:`1.1.2 ` - :ref:`1.2.1 ` - :ref:`1.3.x ` All listed releases have included a specific fix for the MochiWeb component. Work-Around =========== Users may simply exclude any file-based web serving components directly within their configuration file, typically in `local.ini`. On a default CouchDB installation, this requires amending the `httpd_global_handlers/favicon.ico` and `httpd_global_handlers/_utils` lines within `httpd_global_handlers`:: [httpd_global_handlers] favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} If additional handlers have been added, such as to support Adobe's Flash `crossdomain.xml` files, these would also need to be excluded. Acknowledgement =============== The issue was found and reported by Sriram Melkote to the upstream MochiWeb project. References ========== - https://github.com/melkote/mochiweb/commit/ac2bf