Strapi Query Parameter Sanitization Vulnerability Allowing Admin Account Takeover

A vulnerability in Strapi, an open-source headless content management system, exists in versions 4.0.0 prior to 5.37.0. The issue arises from inadequate sanitization of query parameters when filtering content through relational fields. This flaw enables an unauthenticated attacker to exploit the 'where' query parameter on publicly accessible content types with 'updatedBy' or other admin-relation fields. The attacker could perform a boolean-oracle attack against private fields in the joined 'admin_users' table, such as the 'resetPasswordToken' field. By extracting an admin reset token, full administrative account takeover could be achieved without authentication. The vulnerability allows operator chains to traverse into relational target schemas without proper permission, using the response count as a one-bit oracle on any admin-table field.

Impact

Successful exploitation allows for full administrative account takeover by extracting reset tokens from the 'admin_users' table via a boolean-oracle attack, without the need for authentication.

Reproduction

To reproduce this vulnerability, apply a filter using the 'where' query parameter on a public Content API endpoint that includes an 'updatedBy' or other admin-relation field. The filter can be crafted to traverse into private fields of the 'admin_users' table, such as 'resetPasswordToken', exploiting the lack of proper query sanitization. This will generate a response that indicates the presence or absence of specific token values, effectively leaking sensitive information.

Remediation

Users are advised to update Strapi to version 5.37.0 or later.