pouchdb / pouchdb-server

CouchDB-compatible server built on PouchDB and Node

Apache License 2.0

952 stars 154 forks source link

security problem #415

Open himalay34 opened 5 years ago

himalay34 commented 5 years ago

express-pouchdb server security issue:

anyone with "pouchdb-authentication" module can create admin user without any prior authentication .eg.

let db = new PouchDB(''http://localhost:3000/testdb');
db.signUpAdmin('batman', 'brucewayne', function (err, response) {
  // etc.

});

with that, everybody can get control over express-pouchdb server.

do you think is it ok??

himalay34 commented 5 years ago

solved it by modifiying 'express-pouchdb/lib/routes/authorization.js' file by adding following lines after line 13.

 app.get('/_membership',  requiresServerAdmin);
 app.put('/_node/node1@127.0.0.1/_config/admins/:key',  requiresServerAdmin);
 app.delete('/_node/node1@127.0.0.1/_config/admins/:key',  requiresServerAdmin);

don't konw is it right or wrong but i saved my day....

himalay34 commented 5 years ago

407

fasiha commented 4 years ago

Is pouchdb-server basically unusable with this bug still unaddressed?