Leaking sensitive user information still possible by filtering on private with prefix fields

Summary

Still able to leak private fields if using the t(number) prefix

Details

Knex query allows you to change there default prefix
SqliteError: select distinct `t0`.* from `pages` as `t0` left join `admin_users` as `t1` on `t0`.`updated_by_id` = `t1`.`id` where (`t1`.`password` = 1)
so if you change the prefix to the same as it was before or to an other table you want to query you query changes from password to t1.password password is protected by filtering protections but t1.password is not protected

PoC

1 Create a contentType
2 add to its options "populateCreatorFields"
3 create 1 entity in your new content type
4 in settings enable the find route in settings for the content type you created for public
5 /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=a%24
And now the api returns noting if you were to do
/api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=%24 it would return your entity

Impact

You can do filtering attacks on everything related to the object again including admin passwords and reset-tokens.

References

alexandrebodin published to strapi/strapi Jul 25, 2023

Published to the GitHub Advisory Database Jul 25, 2023

Reviewed Jul 25, 2023

Published by the National Vulnerability Database Jul 25, 2023

Last updated Nov 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits