Headline
GHSA-495j-h493-42q2: Strapi Allows Unauthorized Access to Private Fields via parms.lookup
Summary
It’s possible to access any private fields by filtering through the lookup parameters
Details
Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields.
PoC
- Create a strapi app.
- Create a content-type
- In the content-type you make a new entry
- Go back to the list view
- Add
&lookup[updatedBy][password][$startsWith]=$2to the end of your url (All passwords start with $2) see that all entries are still there - Add
&lookup[updatedBy][password][$startsWith]=$3see the entry disappear proving that the search above works
Impact
An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.
Summary
It’s possible to access any private fields by filtering through the lookup parameters
Details
Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields.
PoC
- Create a strapi app.
- Create a content-type
- In the content-type you make a new entry
- Go back to the list view
- Add &lookup[updatedBy][password][$startsWith]=$2 to the end of your url (All passwords start with $2) see that all entries are still there
- Add &lookup[updatedBy][password][$startsWith]=$3 see the entry disappear proving that the search above works
Impact
An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.
References
- GHSA-495j-h493-42q2
- strapi/strapi@0c6e095