About two weeks back, over 40,000 organizations running MongoDB were found unprotected and vulnerable to hackers. Now, once again the users of MongoDB database are at risk because of a critical zero-day vulnerability making rounds in underground market.
MongoDB, one of the leading NoSQL databases, is an open-source database used by companies of all sizes, across all industries for a wide variety of applications. By leveraging in-memory computing, MongoDB provides high performance for both reads and writes.
‘PhPMoAdmin’ ZERO-DAY VULNERABILITY
Hacker known by the online moniker, “sp1nlock” has found a zero-day vulnerability in ‘phpMoAdmin‘, a free, open-source, written in PHP, AJAX-based MongoDB GUI (graphical user interface) administration tool that allows you to easily manage noSQL database MongoDB.
According to multiple posts available on the exploit selling underground forums, the phpMoAdmin is vulnerable to a Zero-Day Remote Code Execution flaw that allows an unauthorized remote user to hijack the websites running phpMoAdmin tool.
0-DAY EXPLOIT AVAILABLE AND IT WORKS
At the time of writing, we have no idea that phpMoAdmin developers are aware of the this zero-day vulnerability or not, but this exploit is already for sale on underground exploits forums and has already been verified by the market administrators that — It Works!
It might be possible that number of buyers and hackers already have access to the phpMoAdmin zero-day exploit and, unfortunately, there is no patch yet available for thousands of vulnerable websites.
HOW TO PROTECT MONGO DATABASE ?
In order to protect yourself, users of MongoDB database are recommended to avoid using phpMoAdmin until the developer team releases a patch for the zero-day remote code execution vulnerability.
As an alternate to the phpMoAdmin, you can make use of other free MongoDB GUI Tools available, as follows:
- RockMongo – A Powerful MongoDB GUI Tool
- MongoVUE – A Desktop based MongoDB GUI Tool
- Mongo-Express – A well featured MongoDB GUI Tool
- UMongo – A Decent MongoDB GUI Tool
- Genghis – A lightweight MongoDB GUI Tool
However, if you don’t want to replace your phpMoAdmin file, then the simplest approach would be to restrict unauthorized access using htaccess password i.e. creating ‘.htpasswd’ authentication for folder containing “moadmin.php” file.