phpMoAdmin remote code execution
Description
phpMoAdmin is a web-based administration interface for MongoDB databases written in PHP. This application contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on the server. Additionally, phpMoAdmin lacks any built-in authentication or authorization mechanisms, meaning anyone with network access to the application can view, modify, or delete MongoDB database contents without credentials.
Remediation
Immediately restrict access to the phpMoAdmin application using one or more of the following methods:
1. Remove or disable the application if it is not actively needed for database administration.
2. Implement web server access controls to restrict access by IP address. For Apache, add the following to your .htaccess file or virtual host configuration:
Order Deny,Allow Deny from all Allow from 192.168.1.0/24 # Replace with your trusted IP range
For Nginx, add to your server block:
location /moadmin.php {
allow 192.168.1.0/24; # Replace with your trusted IP range
deny all;
}3. Add HTTP authentication as an additional security layer. For Apache with .htaccess:
AuthType Basic AuthName "Restricted Access" AuthUserFile /path/to/.htpasswd Require valid-user
4. Use a VPN or SSH tunnel to access the application only through secure, authenticated channels.
5. Consider migrating to a more secure and actively maintained MongoDB administration tool that includes proper authentication and authorization controls.