MongoDB security should be change..
19 views
Skip to first unread message
Janis
Mar 30, 2011, 10:10:45 AM3/30/11
to mongodb-user
http://erlend.oftedal.no/blog/?blogid=115
I just read Is 2011 the Year of NoSQL Data Breaches? over at Infosec
Island. The article was really interesting and points out some aspects
of MongoDB which I really don't like. I'm all for NoSQL databases, as
the relational model does not fit well everywhere, so I'm hoping the
MongoDB developers will address these issues pretty soon.
One of the problems the article points out are that a MongoDB user
either has read-only or read-write access to the database, meaning if
you manage to breach a read-write access account, you can access
everything.
The second problem is the authentication, which seems to rely on MD5-
digests, and any security interested developer will tell you not to
rely on MD5 anymore. Also these digests are apparently repeatable,
opening for replay attacks.
Eliot Horowitz
Mar 30, 2011, 10:15:38 AM3/30/11
to mongod...@googlegroups.com
> The second problem is the authentication, which seems to rely on MD5-
> digests, and any security interested developer will tell you not to
> rely on MD5 anymore. Also these digests are apparently repeatable,
> opening for replay attacks.
> digests, and any security interested developer will tell you not to
> rely on MD5 anymore. Also these digests are apparently repeatable,
> opening for replay attacks.
Just on this point, the article is wrong about it being replayable.
The key hash is MD5( db + username + pwd )
But we do NOT send that over the wire.
The client first asks for a one time use code that is only valid for 1
attempt on that socket, and hashes the above with that.
So there is no issue on replay attacks.
Reply all
Reply to author
Forward
0 new messages