日期:2014-05-16  浏览次数:20419 次

mongodb 安全
mongo db 也有与sql数据库的sql注入类似的攻击,

?

写道
You must be very careful with security when executing JavaScript on the server. If done
incorrectly, server-side JavaScript is susceptible to injection attacks similar to those that
occur in a relational database. However, by following certain rules around accepting
input, you can use JavaScript safely. Alternatively, you can turn off JavaScript execution
altogether by running mongod with the --noscripting option.
The security issues with JavaScript are all related to executing user-provided programs
on the server. You want to avoid doing that, so make sure you aren’t accepting user input
and passing it directly to mongod. For example, suppose you want to print “Hello,
name!”, where name is provided by the user. A naive approach might be to write a Java‐
Script function such as the following:
> func = "function() { print('Hello, "+name+"!'); }"
If name is a user-defined variable, it could be the string "'); db.dropDatabase();
print('", which would turn the code into this:
> func = "function() { print('Hello, '); db.dropDatabase(); print('!'); }"
Now, if you run this code, your entire database will be dropped!

?

?

mongo db 以 javascript 作为脚本语言,

用户可以输入一段恶意的javasript,

?

比如

?

前台页面有一个input,让用户输入用户名

但用户输入了类似如下脚本并提交,

'); db.dropDatabase();('

就会删除掉数据库。

?

解决方法

--noscripting 关闭执行用户输入的javascript,可以避免类似sql注入的攻击。

?