[Pkg-erlang-devel] Bug#570013: Bug#570013: RESTful interface for browser Javascript is insecure
Florian Weimer
fw at deneb.enyo.de
Fri Feb 19 19:23:01 UTC 2010
* Sam Bisbee:
>> You cannot use a RESTful interface from a browser because it is open
>> to CSRF attacks. Using an HttpOnly cookie is not sufficient because
>> some of our browsers do not support HttpOnly.
>
> I'm not sure I understand what you're referring to here. It seems
> like you're worried that Futon will send some sort of malicious
> attack to a Futon user.
The technical term here is "Cross-Site Request Forgery" (CSRF).
>> Furthermore, couchdb serves back Javascript contained in database
>> attachment back to the browser for execution, offering yet another
>> attack vector which also affects browsers with HttpOnly support.
>
> What Javascript are you referring to?
The Javascript which was uploaded to the database, either through the
CSRF bug above, or some other interface. CouchDB should make it more
difficult to bring that to execution in a browser (especially those
using the Futon front end).
>> But lenny is exposed in a rather different way; it does not seem to
>> offer any authentication at all.
>
> Authentication has been in development for couchdb for quite some
> time, being applied in different stages over the releases.
It's still a bit gross to release an authentication-less database with
lenny. 8-/
More information about the Pkg-erlang-devel
mailing list