Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.0.15, 3.2.14, 3.3.14
Affects Version/s: 2.4.10
Component/s: Security
Labels:

Backwards Compatibility:
Minor Change
Operating System:
ALL
Backport Requested:

v3.2, v3.0
Steps To Reproduce:
Hide

rm ~/.dbshell echo test | mongo ls -la ~/.dbshell
Show
rm ~/.dbshell echo test | mongo ls -la ~/.dbshell
Linked BF Score:
27
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

During a very similar bug report on redis (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a code search which hinted a similar bug in mongodb.

I've verified this bug exists in 2.4.10 (current mongodb in debian stable), but I'm not sure about the latest version.

I think the severity for this bug is lower, given that db.auth isn't written to ~/.dbshell, but it might leak sensitive application specific information that might be useful for a local attacker.

I suggest the permissions should be set to the user only (0600) instead of world readable (0644, current permissions).

is related to

SERVER-26489 mongo shell no longer records history of commands

Closed

SERVER-25963 shell should warn user if .dbshell history file is read/writeable by other users

Closed

related to

SERVER-22992 wait_for_pid() function in shell_utils_launcher.cpp doesn't wait for program output to finish being consumed

Closed

links to

Pull request #1106

Assignee:: Kevin Pulo
Reporter:: kpcyrd
Participants:: Githook User, Grant Ridder, Kevin Pulo, kpcyrd, Marek Skalický, Ramon Fernandez Marina
Votes:: 2 Vote for this issue
Watchers:: 20 Start watching this issue

Created:: Jul 29 2016 02:36:06 PM UTC
Updated:: Jan 08 2024 03:23:10 PM UTC
Resolved:: Sep 06 2016 01:55:28 AM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates