[SERVER-17379] HTTP interface's localhost exception check is too permissive Created: 25/Feb/15  Updated: 25/Jan/17  Resolved: 03/Mar/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.0.1, 3.1.0

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by SERVER-17686 Access to http interface when authent... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Completed:
Participants:

 Description   
Issue Status as of Apr 30, 2015

ISSUE SUMMARY
The HTTP interface has a more permissive localhost exception policy than the database server.

USER IMPACT
The embedded web server that provides the HTTP interface may allow a user to connect via localhost even if users are defined on the admin database and --auth is enabled. If no users are defined in the admin database, unauthenticated access via the HTTP interface from anywhere (not just localhost) is also possible.

This is more permissive than the database server localhost exception policy.

WORKAROUNDS
As a work-around, follow our security best practices and disable the embedded web server.

AFFECTED VERSIONS
All previous versions of the HTTP interface are affected by this issue. The HTTP interface is disabled by default from 2.6.0 and onwards.

FIX VERSION
The fix is included in the 3.0.1 production release.



 Comments   
Comment by Githook User [ 04/Mar/15 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-17379 Require connection be on localhost to allow unauthorized access via webserver

(cherry picked from commit e21b0f3c018198a81a4484cdb985a2211531d6ab)
Branch: v3.0
https://github.com/mongodb/mongo/commit/d84943152aa80f3a968d2bd8c3ba600831d3ba8f

Comment by Githook User [ 03/Mar/15 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-17379 Require connection be on localhost to allow unauthorized access via webserver
Branch: master
https://github.com/mongodb/mongo/commit/e21b0f3c018198a81a4484cdb985a2211531d6ab

Generated at Thu Feb 08 03:44:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.