What is MongoDB?

What is MongoDB?

MongoDB is a Document-oriented database. And is in the NOSQL database group.

In this type of database, there is no table and record and collection and document are used. It can be said that the set looks like a table and the document looks like a record in a relational database.

In this database, the data does not have a fixed structure, and both documents (similar to a record in a relational database) can have a completely different structure, this type of structure is called a BSON. For example, two documents from an entity in this database might look like this:

Document 1:

id_ – name – age

Document 2:

id_ – family

What is BSON? MongoDB stores data in json format. This structure is called BSON in Mongolia. The structure of BSON is as follows.

{
"_id": ObjectId("b7d284dad1058f5698gorjhdc"),
"Name": "sepehr",
"age": "36",
"Date of Birth": "21/05/85",
"address": {
"city": "Toronto",
"PostalCode": "M1E5tx"
},
"phoneNumber":[
{
"type" : "Home",
"number": "64895555"
},
{
"type" : "work",
"number": "0155853600"
}
]
}

One of the advantages of MongoDB database over other relational databases (such as MySQL) is the ability to process and search much larger volumes of data at a time, as well as the ability to store larger volumes of data.

SQL to MongoDB

Higher processing speed: The relational database in each search or in each data store must examine many conditions such as the relationships between tables and the accuracy of record values, which greatly increases the RAM and CPU overhead, while MongoDB due to the NOSQL structure only It stores and searches, and as a result, the speed of accessing and storing data is drastically reduced.

Higher data storage: Databases can increase the amount of data that can be stored in the system in two ways. horizontal-scaling and vertical-scaling.

1. vertical scaling: In this method, the data is stored on a node and to increase the data volume, we increase the RAM and CPU or Hard Disk (hard disk). One of the databases that use this method is MySQL.
2.horizontal-scaling: In this method, the data is distributed on different nodes, and each piece of data is stored on one server, thus the processing load will be distributed on different servers and the speed of data access and the amount of stored data will be increased. Databases that use this method can be called MongoDB and Cassandra.

MongoDB structure

As mentioned above, in MongoDB you can master the amount of data that can be stored as well as the speed of data access by mastering horizontal-scaling called shard.

Advantages of using shared:

  • As the cluster expands, the number of processes that each shard performs decreases (due to the spread of processes between the shards), thus increasing the speed of data access.
  • As the number of shards increases, so does the amount of data that can be stored.
Install MongoDB as a shard
Install MongoDB as a shard

 

MongoDB spreads data across the collection. This means that the data of a set is distributed between nodes and shards. MongoDB uses the shard key to manage how data is distributed. shard key is a simple key or a combination key that is present in all documents. Generally id_ can be used as a shard key.
MongoDB uses two types of shard keys to distribute data. range based partitioning and hash based partitioning.

To study: What is Docker?

  1. Range Based Sharding: In this method, the data is stored as a shard key in categories called chunk. As a result, data with a shard key will be stored close to each other in a chunk. The advantage of this method is high search speed when we search by key. And the obvious problem is that the data is not properly distributed in the chunk. Since the data is generally stored in the database in key order, and because the input data to the database is in sequential key, all data will be stored in a chunk series.
chunk mongodb
chunk mongodb

 

2.Hash Based Sharding: In this method, Mongo generates a hash from the fields and then distributes the data in chunks using these hashes. Because the hash generated by the keys is completely different from the key, two documents with equal keys may be in two completely different chunk.

Hash Based Sharding
Hash Based Sharding

In this method, unlike the Range Based Sharding method, the data is completely distributed in chunks, so the processing pressure will not be on one node. One of the disadvantages of this method is that unlike the Range Based Sharding method, it is not easy to quickly search the data of a range.

Discovered WordPress Vulnerabilities (August 2020)

Discovered WordPress Vulnerabilities (August 2020)

Fortunately, last month, like July, no specific vulnerabilities were discovered or reported in the WordPress kernel. But a lot of vulnerabilities have been found in the various plugins and templates of this CMS, which we will introduce in the following.

If you also use and use this plugin, you need to update and fix it as soon as possible, otherwise there is a possibility that the site will be hacked.

Vulnerabilities discovered in WordPress plugins

In this section, we will examine the ways of hackers penetrating through the plugins that you have installed on WordPress.

Infiltrate WordPress through plugins

XSS vulnerability in Recall Products plugin

This vulnerability is of the XSS Stored type and allows the hacker to execute malicious JavaScript code.
Vulnerable versions of this plugin: Up to now, all versions of this plugin are vulnerable.

SQL Injection vulnerability in the Recall Products plugin

Manufactorer [] POST parameter in this plugin has SQL Injection vulnerability. This vulnerability is proven when a deletion request is sent.

Vulnerable versions of this plugin: Up to now, all versions of this plugin are vulnerable.

XSS vulnerability in WP Smart CRM & Invoices plugin

The vulnerability is XSS Stored and allows the hacker to execute malicious JavaScript code using fields such as The Business Name and Tax Code.

Vulnerable versions of this plugin: Up to now, all versions of this plugin are vulnerable.

XSS vulnerability in Ceceppa Multilingual plugin

This vulnerability is of the Reflected type and allows the hacker to execute its malicious code in the tab parameter.
Vulnerable versions of this plugin: Up to now, all versions of this plugin are vulnerable.

XSS vulnerability in Bulk Change plugin

This vulnerability is of the Reflected type and affects the ‘s’ parameter due to the lack of security filters, and malicious JavaScript code can be injected through this parameter.
Vulnerable versions of this plugin: Up to now, all versions of this plugin are vulnerable.

XSS Vulnerability in WP Floating Menu Plugin

This vulnerability is of the Reflected type and the hacker will be able to execute his malicious JavaScript code through the status parameter in the subscribe_sidebar file.
Vulnerable versions of this plugin: 1.3.1 and earlier

Unauthenticated File Upload Vulnerability in Quiz and Survey Master Plugin

Because there is no validation on the names of the files uploaded in this plugin, the hacker can upload his malicious php files (such as web shells) as a double extension to the server. For example: shell.php.jpeg
Vulnerable versions of this plugin: 7.0.2 and earlier

XSS vulnerability in FooGallery plugin

The vulnerability was discovered due to the lack of proper filtering in the user input in the image title or caption, and the hacker will be able to execute his malicious code.
Vulnerable versions of this plugin: 1.9.25 and earlier.

Authenticated File Upload Vulnerability in Autoptimize Plugin

Due to the lack of review of uploaded files in AJAX requests sent by ao_ccss_import, a high-access user will be able to upload their php files, which could eventually lead to an RCE attack.
Vulnerable versions of this plugin: 2.7.7 and before

SQL Injection Vulnerability in RSVP Maker Plugin

This vulnerability was detected because there are no restrictions on user inputs in signed_up_ajax (). Using it, the hacker will be able to execute his queries.
Vulnerable versions of this plugin: 7.8.2 and before

Payment Bypass Vulnerability in WooCommerce Plugin – NAB Transact

In this plugin, due to the lack of validation of the request processing status, the hacker can send his fake request at the time of ordering and register his order as a paid order.
Vulnerable versions of this plugin: 2.1.2 and before

CSRF vulnerability in the Contact Form – Form builder by Kali Forms plugin

Due to the way this plugin is coded, the hacker will be able to bypass security nonces and eventually attack CSRF.
Vulnerable versions of this plugin: 2.1.2 and before

Information Disclosure vulnerability in Advanced Access Manager plugin

Using this vulnerability, it will be possible to reveal things like hashed managers’ passwords and their abilities and roles.
Vulnerable versions of this plugin: 6.6.2 and earlier.

 

Authorization Bypass and Privilege vulnerability in Advanced Access Manager plugin

Using this vulnerability, any admin with a low access level will be able to change their role and increase or decrease their access level. This will be possible by submitting a POST request and changing the role parameters.

Vulnerable versions of this plugin: 6.6.2 and we before that

Vulnerabilities discovered in WordPress themes

In this section, we will examine the ways of hackers penetrating through WordPress templates and remind the essential points.

Infiltrate WordPress through templates

XSS Vulnerability in Home Villas Theme

Several vulnerabilities such as Reflected XSS and Persistent XSS have been discovered in this theme and the hacker will be able to execute his code.
Vulnerable versions of this template: Up to now, all versions of this template are vulnerable.

XSS Vulnerability in Geo Magazine Theme

This vulnerability is of the Reflected XSS type and the hacker will be able to execute its malicious code.
Vulnerable versions of this template: Up to now, all versions of this template are vulnerable.

XSS vulnerability in Nova Lite theme

This vulnerability is of the Reflected XSS type and due to the lack of proper validation in the search query, it leads to the execution of malicious code by the hacker.
Vulnerable versions of this plugin: 1.3.9 and earlier.

XSS Vulnerability in FoodBakery Theme

This vulnerability is of Reflected XSS type and exists in the location parameter of the search query.
Vulnerable versions of this plugin: 2.0 and earlier.

File Upload Vulnerability in Elegant Themes

Using this vulnerability, a user with a contributor access level can upload their favorite php files, which may eventually lead to RCE.
Vulnerable versions of this plugin: 4.5.3 and earlier.

The last word

We emphasize again, if you use these plugins and templates on your website, update them as soon as possible so that your site does not have security problems.