[SERVER-13166] Enabled authentication still allows remote login without username Created: 12/Mar/14 Updated: 10/Dec/14 Resolved: 13/Mar/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.4.9 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ryan Van Antwerp | Assignee: | Andreas Nilsson |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | 1. Install mongodb 2.4.9 server and configure with default settings |
||||||||
| Participants: | |||||||||
| Description |
|
MongoDB server 2.4.9 with auth=true in mongodb.conf. Admin user created as per manual. Authenticated users can connect fine. Attempting to connect with any username and either no passord or an incorrect password results in the following: $ mongo <host> -u username at src/mongo/shell/db.js:228 However, omitting a username allows a shell connection with limited access: $ mongo <host> > db.version() ) { "errmsg" : "exception: forced error", "code" : 10038, "ok" : 0 }This could allow log clutter, server recon, and DoS depending on the architecture of the server. |
| Comments |
| Comment by Andreas Nilsson [ 13/Mar/14 ] |
|
By design it is always possible to connect with the shell to the server without authenticating as a specific user. Once the connection is established there are a few commands that need to be executable without authentication, including the commands used to set up an authenticated connection. As noted in this ticket there are currently a few commands available, such as forceerror that are not needed unless authenticated. There is an existing ticket My suggestion is that we close this ticket and continues the discussion regarding the unauthenticated command surface in |