不受保护的MongoDB服务器?(Unprotected MongoDB server?)
如果这是一个愚蠢或愚蠢的问题,我事先道歉。 我们只是说我偶然发现了一个属于大公司的未受保护的MongoDB服务器。 我尝试使用客户端连接到服务器,而不输入用户名和密码,并且连接成功。 现在,我不确定我是否可以访问数据库中的数据,但我可以看到它上面有一些数据库,我相信我可以在其上创建和删除数据库(没有试过)。 这构成了多大的安全漏洞? 请注意,我没有篡改或弄乱任何东西,我只是问,所以我可以看出这是否确实是我应该报告的安全漏洞,或者是误报。 这种访问不应仅限于数据库管理员吗?
I apologize beforehand if this is a stupid or a silly question in any way. Let's just say that I stumbled upon an unprotected MongoDB server belonging to a big company. I tried using a client to connect to the server, without entering a username and password and it connected successfully. Now, I'm not sure if I have access to the data inside the databases, but I can see that there are a few databases on it, and I believe that it's possible for me to create and drop databases on it (haven't tried). How big of a security flaw does this constitute? Please note that I haven't tampered or messed around with anything, I'm just asking so I can discern if this is indeed a security flaw that I should report, or a false positive. Shouldn't such access be limited to database administrators?
原文:https://stackoverflow.com/questions/37279464