[Pkg-erlang-devel] Bug#570013: RESTful interface for browser Javascript is insecure
Florian Weimer
fw at deneb.enyo.de
Mon Feb 15 20:44:07 UTC 2010
Package: couchdb
Version: 0.10.0-1
Tags: upstream important
You cannot use a RESTful interface from a browser because it is open
to CSRF attacks. Using an HttpOnly cookie is not sufficient because
some of our browsers do not support HttpOnly.
Furthermore, couchdb serves back Javascript contained in database
attachment back to the browser for execution, offering yet another
attack vector which also affects browsers with HttpOnly support.
This has already been reported upstream, not realizing that we've
shipped it in lenny (with no response from upstream so far):
http://mail-archives.apache.org/mod_mbox/couchdb-dev/201002.mbox/%3C87bpfz5t39.fsf@mid.deneb.enyo.de%3E
But lenny is exposed in a rather different way; it does not seem to
offer any authentication at all.
More information about the Pkg-erlang-devel
mailing list