Описание
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
Summary
It's possible to access any private fields by filtering through the lookup parameters
Details
Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields.
PoC
- Create a strapi app.
- Create a content-type
- In the content-type you make a new entry
- Go back to the list view
- Add
&lookup[updatedBy][password][$startsWith]=$2to the end of your url (All passwords start with $2) see that all entries are still there - Add
&lookup[updatedBy][password][$startsWith]=$3see the entry disappear proving that the search above works
Impact
An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.
Пакеты
@strapi/core
>= 5.0.0, < 5.5.2
5.5.2
Связанные уязвимости
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.