Reefa Posted March 4, 2015 Share Posted March 4, 2015 About two weeks back, over 40,000 organizations running MongoDB were found unprotected and vulnerable to hackers. Now, once again the users of MongoDB database are at risk because of a critical zero-day vulnerability making rounds in underground market. MongoDB, one of the leading NoSQL databases, is an open-source database used by companies of all sizes, across all industries for a wide variety of applications. By leveraging in-memory computing, MongoDB provides high performance for both reads and writes. 'PhPMoAdmin' ZERO-DAY VULNERABILITY Hacker known by the online moniker, "sp1nlock" has found a zero-day vulnerability in 'phpMoAdmin', a free, open-source, written in PHP, AJAX-based MongoDB GUI (graphical user interface) administration tool that allows you to easily manage noSQL database MongoDB. According to multiple posts available on the exploit selling underground forums, the phpMoAdmin is vulnerable to a Zero-Day Remote Code Execution flaw that allows an unauthorized remote user to hijack the websites running phpMoAdmin tool. 0-DAY EXPLOIT AVAILABLE AND IT WORKS At the time of writing, we have no idea that phpMoAdmin developers are aware of the this zero-day vulnerability or not, but this exploit is already for sale on underground exploits forums and has already been verified by the market administrators that — It Works! It might be possible that number of buyers and hackers already have access to the phpMoAdmin zero-day exploit and, unfortunately, there is no patch yet available for thousands of vulnerable websites. HOW TO PROTECT MONGO DATABASE ? In order to protect yourself, users of MongoDB database are recommended to avoid using phpMoAdmin until the developer team releases a patch for the zero-day remote code execution vulnerability. As an alternate to the phpMoAdmin, you can make use of other free MongoDB GUI Tools available, as follows:RockMongo – A Powerful MongoDB GUI ToolMongoVUE – A Desktop based MongoDB GUI ToolMongo-Express – A well featured MongoDB GUI ToolUMongo – A Decent MongoDB GUI ToolGenghis – A lightweight MongoDB GUI ToolHowever, if you don’t want to replace your phpMoAdmin file, then the simplest approach would be to restrict unauthorized access using htaccess password i.e. creating '.htpasswd' authentication for folder containing "moadmin.php" file.http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.