Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized access leads to leakage of sensitive information #568

Open
mastersir-lab opened this issue Mar 19, 2024 · 5 comments
Open

Unauthorized access leads to leakage of sensitive information #568

mastersir-lab opened this issue Mar 19, 2024 · 5 comments

Comments

@mastersir-lab
Copy link

Introduce

There is no need to log in to the system, you can operate the database connection, and you can view the database account and password information in connection setting interface.

The steps to reproduce.

1、You can operate without logging in to the system.Visit the system home page.

1

2、Click the Connect function to open the connection database configuration interface.

2

3、Edit the configuration and view the configuration information. There is a database account and password.

3

4、The database connection information of the configuration interface can be accessed and the database can be operated.

4

@rsercano
Copy link
Member

Hello, if I remember correctly, there was a way to put a HTTP basic authentication while logging into app.

But it's been quite a while and this project is no longer being actively managed due to lack of support from officials although having community support.

If I recall correctly there must be an environment variable that you must set to enable HTTP basic authentication, you might find it from code, I'll try to check on spare time and will comment

@mastersir-lab
Copy link
Author

If it is not turned on by default, assets on the public network will pose a risk of leakage. Hopefully adding action statements is less risky.

@rsercano
Copy link
Member

MONGOCLIENT_AUTH: true
MONGOCLIENT_USERNAME: admin
MONGOCLIENT_PASSWORD: password

With these environment variables you can enable HTTP basic authentication @mastersir-lab

@mastersir-lab
Copy link
Author

In this way, the system has security problems, which lead to sensitive information leakage under the default configuration.

@crtmneric
Copy link

@mastersir-lab what you said is akin to 'Using your Instagram account without 2FA leads to risks like sensitive information leakage under the default configuration with hacking possibility.' False usages are not security problems. Those are end user problems. A lot of systems default usernames and passwords are admin, admin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants