写道
You must be very careful with security when executing JavaScript on the server. If done
incorrectly, server-side JavaScript is susceptible to injection attacks similar to those that
occur in a relational database. However, by following certain rules around accepting
input, you can use JavaScript safely. Alternatively, you can turn off JavaScript execution
altogether by running mongod with the --noscripting option.
The security issues with JavaScript are all related to executing user-provided programs
on the server. You want to avoid doing that, so make sure you aren’t accepting user input
and passing it directly to mongod. For example, suppose you want to print “Hello,
name!”, where name is provided by the user. A naive approach might be to write a Java‐
Script function such as the following:
> func = "function() { print('Hello, "+name+"!'); }"
If name is a user-defined variable, it could be the string "'); db.dropDatabase();
print('", which would turn the code into this:
> func = "function() { print('Hello, '); db.dropDatabase(); print('!'); }"
Now, if you run this code, your entire database will be dropped!
incorrectly, server-side JavaScript is susceptible to injection attacks similar to those that
occur in a relational database. However, by following certain rules around accepting
input, you can use JavaScript safely. Alternatively, you can turn off JavaScript execution
altogether by running mongod with the --noscripting option.
The security issues with JavaScript are all related to executing user-provided programs
on the server. You want to avoid doing that, so make sure you aren’t accepting user input
and passing it directly to mongod. For example, suppose you want to print “Hello,
name!”, where name is provided by the user. A naive approach might be to write a Java‐
Script function such as the following:
> func = "function() { print('Hello, "+name+"!'); }"
If name is a user-defined variable, it could be the string "'); db.dropDatabase();
print('", which would turn the code into this:
> func = "function() { print('Hello, '); db.dropDatabase(); print('!'); }"
Now, if you run this code, your entire database will be dropped!
mongo db 以 javascript 作为脚本语言,
用户可以输入一段恶意的javasript,
比如
前台页面有一个input,让用户输入用户名
但用户输入了类似如下脚本并提交,
'); db.dropDatabase();('
就会删除掉数据库。
解决方法
--noscripting 关闭执行用户输入的javascript,可以避免类似sql注入的攻击。
1. 安装的时候需要加–auth
加了–auth之后MongoDB才需要验证
2. 需要加–nohttpinterface
不加会有一个28017的端口监听,可以通过网页管理mongodb,不需要请去掉
3. 可以加–bind_ip
加之后可以限制访问的ip
4. 可以加–port
加了之后可以重新制定端口,默认为27017
5. 安装完之后需立即在admin数据库中添加一个用户
只有在admin数据库中添加一个用户后才能使认证生效