This article aims to discuss about security issues found in CMS Directus in version 8.7.2.
In a professional context, I process security audit against Web application running under CMS Directus. From security best practices assessment, I found several flaws which can have a significant impact on overall security. The audited platform is using php 7.4, mysql (VERSION) and Directus 8.7.2.
This vulnerability aims to allow an attacker to list all configured users though the reset function.
If an attacker tries to reset an email which is already configured in the database, the service responds that a reset email was sent. However, in case of unexisting email address, the service responds that the reset email cannot be sent. From a enumeration attack with correct wordlist, an attacker will be able to identify all configured address for further password bruteforce attacks.
Request :
Host: demo.directus.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 28
Origin: https://demo.directus.io
DNT: 1
Connection: close
Referer: https://demo.directus.io/admin/
{"email":"test@yopmail.com"}
Response :
Date: Tue, 23 Feb 2021 16:16:09 GMT
Server: Apache/2.4.29 (Ubuntu)
Access-Control-Allow-Origin: https://demo.directus.io
Access-Control-Allow-Credentials: true
Content-Length: 81
Connection: close
Content-Type: application/json
{"error":{"code":107,"message":"User with email \"test@yopmail.com\" not found"}}
This vulnerability is reported with the CVE ID : CVE-2021-27583
This vulnerability aims to allow to an attacker to get technical information about the server engine. From a simple API calling, the server responds with technical information like, directus version, PHP version and type of database.
The attacker needs to be connected to see these information.
According to the following screenshot, all technical information can easily retrieved.
This vulnerability is reported with the CVE ID : CVE-2021-26595
This vulnerability aims to allow an attacker to elevation his privilege to administrator level. On directus plaform, according high privilege to an attack can be do by accessing to the mysite/users/ID using PATCH HTTP Method. On parameters, it is quite easy to guess that administrator role is associated to the ID 1.
With a limited privilege account, it not possible to change role from interface :
According to the following screenshot, the PATCH request was sent with a standard user account and is sucessfully accepted by the server:
Original request:
Edited request by Burp Suite:
Response concerning the edited request:
This vulnerability is reported with the CVE ID : CVE-2021-26594
This vulnerability aims to allow to an attacker to retrieve sensitive information about users. On directus, two-factor authentication can be configured by using QrCode.
To secure an account, a user can use a two factor authentication. To log in, he needs to send his password and then he has to write a number generated by a specific application. These number have been generated from a secret (https://en.wikipedia.org/wiki/Multi-factor_authentication ), saved in directus to verify the validity of the two-factor sent.
When a user enables the two-factor, he receives an QRCode to import this two factor in the specific application.
It is possible to read this QRCode with QRCode Scanner (read with “Scanner QR” application on Android) :
When an attacker, connected, can see all users and their 2FA secret :
According to the following screenshot, the server responds with full users’ data, especially 2fa_secret parameters. From this secret information, an attacker can generate QrCode with free online website like :
This vulnerability is reported with the CVE ID : CVE-2021-26593
Authors : Stanislas GRANEL, Arnaud COURTY
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
