Uploaded image for project: 'PHP Legacy Driver'
  1. PHP Legacy Driver
  2. PHP-426

Connection pool not paying attention to authentication when using replicaSet=true

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: 1.2.10
    • Fix Version/s: 1.3.0RC1
    • Component/s: pecl-mongo
    • Labels:
    • Environment:
      Redhat
    • # Replies:
      5
    • Last comment by Customer:
      true

      Description

      When connecting to a replicaSet using replicaSet=true, the connection pool does not pay attention to the validity of the connection and reuses invalid connections or unauthenticated connections.

      Steps to reproduce:
      1) Make a few valid connections to a replicaSet using the replicaSet=true connection parameter. This will fill the connection pool with valid connections.
      2) Modify the password in your connection string to be invalid.
      3) Attempt to connect again. Even though you have the wrong password, you can jump on an old persistent connection and still use it.

      This obviously has security consequences. It is possible for an unprivileged user to access the database even if they do not have the password because they can reuse a persistent connection from the pool.

      This has other negative consequences. If a connection fails for some reason, that invalid connection is still in the pool and will give errors to anyone that uses it.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since reply:
                3 years, 38 weeks, 1 day ago
                Date of 1st Reply: