Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Duplicate
Priority: Trivial - P5
Fix Version/s: None
Affects Version/s: 2.4.9
Component/s: Security, Shell
Labels:
None

Operating System:
ALL
Steps To Reproduce:
Hide

[root@localhost ~]# mongo admin -u thisguy -p oldpassword --port 27001
MongoDB shell version: 2.4.9
connecting to: 127.0.0.1:27001/admin
testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword")
testset2:PRIMARY> exit
bye
[root@localhost ~]# mongo admin -u thisguy -p newpassword --port 27001
MongoDB shell version: 2.4.9
connecting to: 127.0.0.1:27001/admin
testset2:PRIMARY> exit
bye

Login as a different user
[root@localhost ~]# mongo admin -u daddy -p password --port 27001
MongoDB shell version: 2.4.9
connecting to: 127.0.0.1:27001/admin

up arrow
testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword")
Show
[root@localhost ~] # mongo admin -u thisguy -p oldpassword --port 27001 MongoDB shell version: 2.4.9 connecting to: 127.0.0.1:27001/admin testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword") testset2:PRIMARY> exit bye [root@localhost ~] # mongo admin -u thisguy -p newpassword --port 27001 MongoDB shell version: 2.4.9 connecting to: 127.0.0.1:27001/admin testset2:PRIMARY> exit bye Login as a different user [root@localhost ~] # mongo admin -u daddy -p password --port 27001 MongoDB shell version: 2.4.9 connecting to: 127.0.0.1:27001/admin up arrow testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword")
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The db.changeUserPassword() is in history. Any user that can connect to the mongo shell can use the uparrow to see the changed password in plain text.

Workaround:
Prehash the password and change it with something like the following:

db.system.users.update(

{ "pwd" : "' + hashedoldpassword + '"}

, { $set:

{ "pwd" : "' + hashednewpassword + '"}

} )

duplicates

SERVER-9939 createUser and updateUser commands aren't filtered from shell history, even though they may contain user's password

Closed

Assignee:: Unassigned
Reporter:: Jeffery Schnick
Participants:: Daniel Pasette, James Wahlin, Jeffery Schnick
Votes:: 0 Vote for this issue
Watchers:: 9 Start watching this issue

Created:: Feb 13 2014 06:39:23 PM UTC
Updated:: Dec 10 2014 11:05:37 PM UTC
Resolved:: Feb 18 2014 04:38:00 AM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates