<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:30:51 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-13166] Enabled authentication still allows remote login without username</title>
                <link>https://jira.mongodb.org/browse/SERVER-13166</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;MongoDB server 2.4.9 with auth=true in mongodb.conf. Admin user created as per manual. Authenticated users can connect fine. Attempting to connect with any username and either no passord or an incorrect password results in the following:&lt;/p&gt;

&lt;p&gt;$ mongo &amp;lt;host&amp;gt; -u username&lt;br/&gt;
MongoDB shell version: 2.4.9&lt;br/&gt;
connecting to: &amp;lt;host&amp;gt;/test&lt;br/&gt;
Wed Mar 12 14:02:00.125 Error: 18 &lt;/p&gt;
{ code: 18, ok: 0.0, errmsg: &quot;auth fails&quot; }
&lt;p&gt; at src/mongo/shell/db.js:228&lt;br/&gt;
exception: login failed&lt;/p&gt;

&lt;p&gt;However, omitting a username allows a shell connection with limited access:&lt;/p&gt;

&lt;p&gt;$ mongo &amp;lt;host&amp;gt;&lt;br/&gt;
MongoDB shell version: 2.4.9&lt;br/&gt;
connecting to: &amp;lt;host&amp;gt;/test&lt;br/&gt;
&amp;gt; db.system.users.find()&lt;br/&gt;
error: &lt;/p&gt;
{ &quot;$err&quot; : &quot;not authorized for query on test.system.users&quot;, &quot;code&quot; : 16550 }
&lt;p&gt;&amp;gt; db.version()&lt;br/&gt;
2.4.9&lt;br/&gt;
&amp;gt; db.adminCommand(&lt;/p&gt;
{forceerror:1}
&lt;p&gt;)&lt;/p&gt;
{ &quot;errmsg&quot; : &quot;exception: forced error&quot;, &quot;code&quot; : 10038, &quot;ok&quot; : 0 }

&lt;p&gt;This could allow log clutter, server recon, and DoS depending on the architecture of the server. &lt;/p&gt;</description>
                <environment></environment>
        <key id="119815">SERVER-13166</key>
            <summary>Enabled authentication still allows remote login without username</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="andreas.nilsson">Andreas Nilsson</assignee>
                                    <reporter username="rvanantwerp">Ryan Van Antwerp</reporter>
                        <labels>
                    </labels>
                <created>Wed, 12 Mar 2014 19:22:57 +0000</created>
                <updated>Wed, 10 Dec 2014 23:04:26 +0000</updated>
                            <resolved>Thu, 13 Mar 2014 15:20:13 +0000</resolved>
                                    <version>2.4.9</version>
                                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>7</watches>
                                                                                                                <comments>
                            <comment id="515214" author="andreas.nilsson@10gen.com" created="Thu, 13 Mar 2014 15:19:05 +0000"  >&lt;p&gt;By design it is always possible to connect with the shell to the server without authenticating as a specific user. Once the connection is established there are a few commands that need to be executable without authentication, including the commands used to set up an authenticated connection.&lt;/p&gt;

&lt;p&gt;As noted in this ticket there are currently a few commands available, such as forceerror that are not needed unless authenticated. There is an existing ticket &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-12143&quot; title=&quot;Make some unauthenticated commands require auth&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-12143&quot;&gt;&lt;del&gt;SERVER-12143&lt;/del&gt;&lt;/a&gt; to reduce the number of commands possible in unauthenticated mode.&lt;/p&gt;

&lt;p&gt;My suggestion is that we close this ticket and continues the discussion regarding the unauthenticated command surface in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-12143&quot; title=&quot;Make some unauthenticated commands require auth&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-12143&quot;&gt;&lt;del&gt;SERVER-12143&lt;/del&gt;&lt;/a&gt;.  &lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="102936">SERVER-12143</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 13 Mar 2014 15:19:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        9 years, 48 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            9 years, 48 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>rvanantwerp</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrlz47:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrwpfz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>104915</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;1. Install mongodb 2.4.9 server and configure with default settings&lt;br/&gt;
2. Add auth=true to mongodb.conf&lt;br/&gt;
3. Add an admin user, as per the manual&lt;br/&gt;
4. Restart mongodb&lt;br/&gt;
5. Attempt to connect from a remote host without specifying a username&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10166" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Tests Written</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10153"><![CDATA[Unneeded]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsh2wn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>