Unauthorized access leads to leakage of sensitive information

[mastersir-lab]

Introduce

There is no need to log in to the system, you can operate the database connection, and you can view the database account and password information in connection setting interface.

The steps to reproduce.

1、You can operate without logging in to the system.Visit the system home page.

2、Click the Connect function to open the connection database configuration interface.

3、Edit the configuration and view the configuration information. There is a database account and password.

4、The database connection information of the configuration interface can be accessed and the database can be operated.

[rsercano]

Hello, if I remember correctly, there was a way to put a HTTP basic authentication while logging into app.

But it's been quite a while and this project is no longer being actively managed due to lack of support from officials although having community support.

If I recall correctly there must be an environment variable that you must set to enable HTTP basic authentication, you might find it from code, I'll try to check on spare time and will comment

[mastersir-lab]

If it is not turned on by default, assets on the public network will pose a risk of leakage. Hopefully adding action statements is less risky.

[rsercano]

MONGOCLIENT_AUTH: true
MONGOCLIENT_USERNAME: admin
MONGOCLIENT_PASSWORD: password

With these environment variables you can enable HTTP basic authentication @mastersir-lab

[mastersir-lab]

In this way, the system has security problems, which lead to sensitive information leakage under the default configuration.

[crtmneric]

@mastersir-lab what you said is akin to 'Using your Instagram account without 2FA leads to risks like sensitive information leakage under the default configuration with hacking possibility.' False usages are not security problems. Those are end user problems. A lot of systems default usernames and passwords are admin, admin.