Listen to this Post
How the mentioned CVE works:
The vulnerability exists within the document service of Strapi 5, which introduced a new `lookup` query operator. This operator is designed to allow for complex querying of related data models. However, the implementation fails to properly sanitize and restrict this operator from being used on private fields. Private fields, such as password hashes and reset tokens, are defined in the content-type schemas and should never be exposed or used as a filter condition in API responses. An attacker can craft a malicious API request using the `lookup` operator to target these private fields. By applying a filter condition like `$startsWith` to a password hash field, the attacker can infer the field’s value based on whether results are returned, effectively allowing them to perform a blind enumeration attack to extract sensitive data.
Platform: Strapi
Version: 5.x
Vulnerability: Authorization Bypass
Severity: High
date: 2024-10-16
Prediction: Patch by 2024-10-30
What Undercode Say:
`curl -X GET ‘https://target.com/api/users?filters[bash][updatedBy][bash][$startsWith]=\$2’`
`strapi.services[‘document’].find({ lookup: { updatedBy: { password: { $startsWith: ‘$2a’ } } } })`
`const isPrivateField = field.attributes.private === true;`
How Exploit:
Craft API request with lookup operator targeting private password field. Use `$startsWith` filter to perform blind enumeration of password hash prefixes. Observe API response differences to confirm hash values and deduce sensitive information.
Protection from this CVE:
Immediately upgrade Strapi upon patch release. Implement strict input validation for all query parameters, especially the lookup operator. Enforce a robust allowlist for fields that can be used in filtering operations. Review and audit all content-type schemas to ensure sensitive fields are correctly marked as private.
Impact:
Full administrative access compromise. Unauthorized disclosure of highly sensitive data like password hashes and reset tokens. Complete system takeover and potential data breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
