Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17379

HTTP interface's localhost exception check is too permissive

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 3.0.1, 3.1.0
    • Security
    • None
    • Minor Change
    • ALL

    Description

      Issue Status as of Apr 30, 2015

      ISSUE SUMMARY
      The HTTP interface has a more permissive localhost exception policy than the database server.

      USER IMPACT
      The embedded web server that provides the HTTP interface may allow a user to connect via localhost even if users are defined on the admin database and --auth is enabled. If no users are defined in the admin database, unauthenticated access via the HTTP interface from anywhere (not just localhost) is also possible.

      This is more permissive than the database server localhost exception policy.

      WORKAROUNDS
      As a work-around, follow our security best practices and disable the embedded web server.

      AFFECTED VERSIONS
      All previous versions of the HTTP interface are affected by this issue. The HTTP interface is disabled by default from 2.6.0 and onwards.

      FIX VERSION
      The fix is included in the 3.0.1 production release.

      Attachments

        Issue Links

          is duplicated by

          Question - SERVER-17686 Access to http interface when authentication is enabled

          • Minor - P4 - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              spencer@mongodb.com Spencer Brody (Inactive)
              spencer@mongodb.com Spencer Brody (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: