Description

This web application is potentially vulnerable to authentication bypass via MongoDB operator injection.
Instead of providing valid credentials (a valid username and password), the scanner was able to bypass authentication using payloads that are evaluated to true by the MongoDB engine (abusing MongoDB operators): username & password={"$ne": "randomstring"}.

Remediation

If you are passing $_GET/$_POST parameters to your queries, make sure that they are cast to strings first. If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundary are passed in the scope field of MongoCode, not interpolated into the JavaScript string.

References

PHP Manual MongoDB Security

How does MongoDB address SQL or Query injection?

What is NoSQL Injection and How Can You Prevent It?

Related Vulnerabilities

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-1612)

PHP Other Vulnerability (CVE-2003-1303)

WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-5204)

Oracle JRE CVE-2013-5819 Vulnerability (CVE-2013-5819)

Ruby on Rails Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-0447)

Severity

High

Classification

CWE-943 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Tags

Abuse Of Functionality Code Execution Known Vulnerabilities