[SERVER-8286] getLastError replicatedTo leaks admin information to non-admin user Created: 23/Jan/13  Updated: 15/Feb/13  Resolved: 23/Jan/13

Status: Closed
Project: Core Server
Component/s: Replication, Security
Affects Version/s: 2.3.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Asya Kamsky Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

In the process of creating tests for SERVER-4073 I created a user who had only access to test database, not auth access. This user is not allowed to run rs.status() command. However via a write followed by getlasterror he can access information about what replica nodes there are and their address.

> rs.status()
{ "ok" : 0, "errmsg" : "unauthorized" }
> db.c1.insert({}); db.runCommand({getlasterror:1, w:9, wtimeout:5000})
{
	"n" : 0,
	"lastOp" : {
		"t" : 1358901189000,
		"i" : 1
	},
	"connectionId" : 13,
	"wtimeout" : true,
	"waited" : 5000,
	"replicatedTo" : [
		"10.5.1.168"
	],
	"err" : "timeout",
	"ok" : 1
}



 Comments   
Comment by Eliot Horowitz (Inactive) [ 23/Jan/13 ]

nodes are not private

Comment by Scott Hernandez (Inactive) [ 23/Jan/13 ]

How is this different than isMaster?

Generated at Thu Feb 08 03:17:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.