Directus Search Parameter Vulnerability Allows Unauthorized Field Enumeration

A vulnerability in Directus versions 9.0.0-alpha.4 prior to 11.5.0 allows users to exploit the 'search' query parameter to filter collection items based on fields they lack permission to view. This oversight enables the enumeration of restricted field contents. The issue arises because the searchable columns, both numeric and string, are not properly validated against permission rules when the 'where' clauses are generated for search queries. As a result, users can access and retrieve data from fields they are not authorized to see.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as email addresses, password hashes, and admin-level access tokens, depending on the specific Directus instance and its permission configurations.

Reproduction

To reproduce this vulnerability, create a collection with a string or numeric field. Set the permissions for the public role to exclude the newly created field. Afterward, populate the collection items with identifiable content in the restricted field. Finally, query the collection using the 'search' parameter to include the content from the forbidden field. The response will include the restricted data, demonstrating the vulnerability.

Remediation

Users can update to Directus version 11.5.0 or later, where this vulnerability has been fixed.