You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Dario Freire (Created) (JIRA)" <ji...@apache.org> on 2011/10/20 23:52:10 UTC

[jira] [Created] (COUCHDB-1314) Couchdb _replicator documents should not show passwords in clear text

Couchdb _replicator documents should not show passwords in clear text
---------------------------------------------------------------------

                 Key: COUCHDB-1314
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1314
             Project: CouchDB
          Issue Type: Improvement
          Components: Replication
    Affects Versions: 1.1
            Reporter: Dario Freire
            Priority: Critical


The documents stored in the _replicator database show passwords in clear text.

Imagine a scenario where a developer provides a couchdb app that runs in a central location and must synchronize with user's local couchdb instances.
The users would need to pull updates to their database by adding a document to _replicator:

{
    "_id": "great-app",
    "source":  "http://great-app-provider.com:5984/great-app",
    "target":  "my-great-app",
    "create_target":  true
}

Now if the developer doesn't want his central couchdb instance to be public, he needs to protect it by creating an admin party.
The problem is that he cannot longer share his database for replication because doing so would reveal the admin credentials to the app users.
i.e. in order for the synchronization to work the users would need to update their _replicator documents to:

{
    "_id": "great-app",
    "source":  "http://admin:password@great-app-provider.com:5984/great-app",
    "target":  "my-great-app",
    "create_target":  true
}

All in plain text.
Thus, the users would know how to access the restricted central couchdb instance.

This is just a possible scenario where showing credentials in plain text is a problem, but by no means is the only scenario where it is a problem.

Since one of the "selling points" of couchdb is its outstanding ability to synchronize databases, the security concerns caused by this issue make it impossible to use in practice. 
Because of this, it looks like an improvement on this matter is of critical importance.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (COUCHDB-1314) Couchdb _replicator documents should not show passwords in clear text

Posted by "Filipe Manana (Closed) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/COUCHDB-1314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Filipe Manana closed COUCHDB-1314.
----------------------------------

       Resolution: Fixed
    Fix Version/s: 1.2

This issue is fixed by the recently committed security changes.
Consult the following wiki pages:

http://wiki.apache.org/couchdb/Security_Features_Overview
http://wiki.apache.org/couchdb/Breaking_changes
                
> Couchdb _replicator documents should not show passwords in clear text
> ---------------------------------------------------------------------
>
>                 Key: COUCHDB-1314
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1314
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: Replication
>    Affects Versions: 1.1
>            Reporter: Dario Freire
>            Priority: Critical
>              Labels: replication, replicator, security
>             Fix For: 1.2
>
>
> The documents stored in the _replicator database show passwords in clear text.
> Imagine a scenario where a developer provides a couchdb app that runs in a central location and must synchronize with user's local couchdb instances.
> The users would need to pull updates to their database by adding a document to _replicator:
> {
>     "_id": "great-app",
>     "source":  "http://great-app-provider.com:5984/great-app",
>     "target":  "my-great-app",
>     "create_target":  true
> }
> Now if the developer doesn't want his central couchdb instance to be public, he needs to protect it by creating an admin party.
> The problem is that he cannot longer share his database for replication because doing so would reveal the admin credentials to the app users.
> i.e. in order for the synchronization to work the users would need to update their _replicator documents to:
> {
>     "_id": "great-app",
>     "source":  "http://admin:password@great-app-provider.com:5984/great-app",
>     "target":  "my-great-app",
>     "create_target":  true
> }
> All in plain text.
> Thus, the users would know how to access the restricted central couchdb instance.
> This is just a possible scenario where showing credentials in plain text is a problem, but by no means is the only scenario where it is a problem.
> Since one of the "selling points" of couchdb is its outstanding ability to synchronize databases, the security concerns caused by this issue make it impossible to use in practice. 
> Because of this, it looks like an improvement on this matter is of critical importance.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira