Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13166

Enabled authentication still allows remote login without username

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.4.9
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • Hide

      1. Install mongodb 2.4.9 server and configure with default settings
      2. Add auth=true to mongodb.conf
      3. Add an admin user, as per the manual
      4. Restart mongodb
      5. Attempt to connect from a remote host without specifying a username

      Show
      1. Install mongodb 2.4.9 server and configure with default settings 2. Add auth=true to mongodb.conf 3. Add an admin user, as per the manual 4. Restart mongodb 5. Attempt to connect from a remote host without specifying a username

      MongoDB server 2.4.9 with auth=true in mongodb.conf. Admin user created as per manual. Authenticated users can connect fine. Attempting to connect with any username and either no passord or an incorrect password results in the following:

      $ mongo <host> -u username
      MongoDB shell version: 2.4.9
      connecting to: <host>/test
      Wed Mar 12 14:02:00.125 Error: 18

      { code: 18, ok: 0.0, errmsg: "auth fails" }

      at src/mongo/shell/db.js:228
      exception: login failed

      However, omitting a username allows a shell connection with limited access:

      $ mongo <host>
      MongoDB shell version: 2.4.9
      connecting to: <host>/test
      > db.system.users.find()
      error:

      { "$err" : "not authorized for query on test.system.users", "code" : 16550 }

      > db.version()
      2.4.9
      > db.adminCommand(

      {forceerror:1}

      )

      { "errmsg" : "exception: forced error", "code" : 10038, "ok" : 0 }

      This could allow log clutter, server recon, and DoS depending on the architecture of the server.

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            rvanantwerp Ryan Van Antwerp
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: