ALL COVERED TOPICS

NoSQL Benchmarks NoSQL use cases NoSQL Videos NoSQL Hybrid Solutions NoSQL Presentations Big Data Hadoop MapReduce Pig Hive Flume Oozie Sqoop HDFS ZooKeeper Cascading Cascalog BigTable Cassandra HBase Hypertable Couchbase CouchDB MongoDB OrientDB RavenDB Jackrabbit Terrastore Amazon DynamoDB Redis Riak Project Voldemort Tokyo Cabinet Kyoto Cabinet memcached Amazon SimpleDB Datomic MemcacheDB M/DB GT.M Amazon Dynamo Dynomite Mnesia Yahoo! PNUTS/Sherpa Neo4j InfoGrid Sones GraphDB InfiniteGraph AllegroGraph MarkLogic Clustrix CouchDB Case Studies MongoDB Case Studies NoSQL at Adobe NoSQL at Facebook NoSQL at Twitter

NAVIGATE MAIN CATEGORIES

Close
Friday, 9 March 2012
‹ Back

CouchDB in Node Package Manager Exposed Password Hashes

About:
,
,
,

The security alert:

  • Your password wasn’t leaked, but the hash was. Still not great.
  • It’s fixed now.

The root problem?

To do login, npm uses the /_users database in couchdb. By default, CouchDB prior to version 1.2.0 makes this database world-readable.

Yet another problem

Latest stable CouchDB release is 1.1.1. And you’ll probably find some more nasty comments in the Hacker News thread.

Workaround

Captured by Klint Finley from Jan Lehnardt:

For those not ready to upgrade to 1.2.0 CouchDB developer Jan Lehnardt suggests restricting access to /_users with a proxy.

Conclusions

  1. Klint Finley:

    The good news of course is that the CouchDB is changing this default behavior. The bad news is that it took this long for the problem with NPM to be noticed and fixed.

  2. Me: the very bad news is that security is still an after-thought for many NoSQL databases.

Original title and link: CouchDB in Node Package Manager Exposed Password Hashes (NoSQL database©myNoSQL)