SSK
Reputation: 285
MongoDb application security
I'm checking with MongoDB application. There is application installed on my system, when I enter single quote(') in the input box it pop up the following error:
A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.
/usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in ()
41 print "</th>"
42 if where:
=> 43 for record in collection.find(where):
44 print "<tr>"
45 print "<td align=\"center\">"+record["test"]+"</td>"
record undefined, collection = Collection(Database(MongoClient('localhost', 27017), u'test_d'), u'london_garages'), collection.find = <bound method Collection.find of Collection(Data...', 27017), u'test_d'), u'l_g')>, where = {'$where': "this.test== ''--'"}
What is the meaning of the error? If you have another pointer to check the security of this application please let me know.
Upvotes: 1
Views: 9937
Answers (1)
ems
Reputation: 46
If you look at the error and the following part:
where = {'$where': "this.test== ''--'"}
I assume the single quote goes to the where clause (some sort of search), so your code is probably something like the following:
where = {'$where': "this.test== '[YOUR TEXT BOX INPUT]--'"}
A single quote terminated your where clause prematurely. This is a good demonstration for a NoSQL injection.
Upvotes: 3
Related Questions
- Delete everything in a MongoDB database
- How do you rename a MongoDB database?
- How do I drop a MongoDB database from the command line?
- How to query MongoDB with "like"
- MongoDB relationships: embed or reference?
- How to get the last N records in mongodb?
- Find MongoDB records where array field is not empty
- How can I list all collections in the MongoDB shell?
- Newbie with mongodb