MongoDB, one of the Web's leading NoSQL platforms, is a popular alternative to table-based relational databases. One of the GUI tools used to manage MongoDB (phpMoAdmin) has a serious vulnerability that, if exploited, allows an attacker to execute commands on the server.
Written in PHP, phpMoAdmin is similar to phpMyAdmin, in that it enables a GUI that developers and administrators can use for various database tasks. However, while phpMyAdmin has a strong development community (given its ties to MySQL), phpMoAdmin hasn't been updated in more than two years.
Recently, researchers discovered that there was a serious flaw in the phpMoAdmin code. As mentioned, if this flaw were to be exploited, it would allow an attacker to execute commands on the server. The flaw was publicly disclosed earlier this month and some administrators have already started to report exploitation attempts.
It isn't clear if the phpMoAdmin developers are aware of the issue. However, criminals were selling the exploit about a week before a Metasploit module was developed and published.
The flaw centers on the script's usage of eval() on GET requests:
eval('$find = ' . $_GET['find'] . ';');
At that point, the flaw can be triggered by altering the $action variable.
http://localhost/phpmoadmin/moadmin.php?action=listRows&collection=0&find=array();system(%27whoami%27);exit;
The bots targeting the flaw, operating out of a co-location center in New Jersey, are attempting to spread an IRCbot written in Perl. This script, as well as the current method of propagation, is similar to a campaign covered on CSO last year when criminals were targeting Shellshock.
Anyone using phpMoAdmin is encouraged to switch to another GUI tool. There are plenty available, such as RockMongo, MongoVUE, Mongo-Express, or UMongo. If that isn't an option, then restricting access to phpMoAdmin is the only other alternative it seems.
The phpMoAdmin project is idle and possibly abandoned, highlighting the risks associated with open source code. If there's no one to maintain it, then flaws will forever remain unpatched.
Last month, after a team of German researchers discovered some 40,000 MongoDB installations exposed to the public, the MongoDB team released a blog post outlining some basic security practices. This post, as well as the MongoDB security manual are certainly worth a look given recent developments.