Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17379

HTTP interface's localhost exception check is too permissive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.1, 3.1.0
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Minor Change
    • Operating System:
      ALL
    • Backport Completed:

      Description

      Issue Status as of Apr 30, 2015

      ISSUE SUMMARY
      The HTTP interface has a more permissive localhost exception policy than the database server.

      USER IMPACT
      The embedded web server that provides the HTTP interface may allow a user to connect via localhost even if users are defined on the admin database and --auth is enabled. If no users are defined in the admin database, unauthenticated access via the HTTP interface from anywhere (not just localhost) is also possible.

      This is more permissive than the database server localhost exception policy.

      WORKAROUNDS
      As a work-around, follow our security best practices and disable the embedded web server.

      AFFECTED VERSIONS
      All previous versions of the HTTP interface are affected by this issue. The HTTP interface is disabled by default from 2.6.0 and onwards.

      FIX VERSION
      The fix is included in the 3.0.1 production release.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: