You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Jason Smith (JIRA)" <ji...@apache.org> on 2010/07/18 19:18:49 UTC
[jira] Created: (COUCHDB-829) Denial of Service vulnerability in
rewriter
Denial of Service vulnerability in rewriter
-------------------------------------------
Key: COUCHDB-829
URL: https://issues.apache.org/jira/browse/COUCHDB-829
Project: CouchDB
Issue Type: Bug
Components: Database Core
Affects Versions: 1.0
Environment: CouchDB trunk, erl R13B04
Reporter: Jason Smith
Untrusted, unsanitized user input should not be converted to atoms because it allows the user to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash.
If rewriting is enabled (which it is by default), and if an attacker knows a database and ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms into system.
I have not exhaustively audited couch_httpd_rewrite.erl but for instance handle_rewrite_req/3 converts all URL query keys to atoms.
[info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/
1> erlang:list_to_existing_atom("do_i_exist").
** exception error: bad argument
in function list_to_existing_atom/1
called as list_to_existing_atom("do_i_exist")
$ curl -X PUT localhost:5984/ex
{"ok":true}
$ curl -X PUT localhost:5984/ex/_design/ex -d {}
{"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"}
$ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
{"error":"rewrite_error","reason":"Invalid path."}
2> [info] [<0.109.0>] 127.0.0.1 - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah 404
2> erlang:list_to_existing_atom("do_i_exist").
do_i_exist
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (COUCHDB-829) Denial of Service vulnerability in
rewriter
Posted by "Chris Anderson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Anderson closed COUCHDB-829.
----------------------------------
Resolution: Fixed
thanks, fixed in r965667
> Denial of Service vulnerability in rewriter
> -------------------------------------------
>
> Key: COUCHDB-829
> URL: https://issues.apache.org/jira/browse/COUCHDB-829
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Environment: CouchDB trunk, erl R13B04
> Reporter: Jason Smith
>
> Untrusted, unsanitized user input should not be converted to atoms because it allows the user to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash.
> If rewriting is enabled (which it is by default), and if an attacker knows a database and ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms into system.
> I have not exhaustively audited couch_httpd_rewrite.erl but for instance handle_rewrite_req/3 converts all URL query keys to atoms.
> [info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/
> 1> erlang:list_to_existing_atom("do_i_exist").
> ** exception error: bad argument
> in function list_to_existing_atom/1
> called as list_to_existing_atom("do_i_exist")
> $ curl -X PUT localhost:5984/ex
> {"ok":true}
> $ curl -X PUT localhost:5984/ex/_design/ex -d {}
> {"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"}
> $ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
> {"error":"rewrite_error","reason":"Invalid path."}
> 2> [info] [<0.109.0>] 127.0.0.1 - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah 404
> 2> erlang:list_to_existing_atom("do_i_exist").
> do_i_exist
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.