directus vulnerable to Insertion of Sensitive Information into Log File

Main / directus vulnerable to Insertion of Sensitive Information into Log File

Discription

### Summary

CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission.

### Details

Using `v9.23.1`, I am seeing that the `directus_refresh_token` is not properly redacted as indicated by https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13

I’m classifying this as a security vulnerability because if someone has access to the log outputs, for example with a shared Cloud account or Splunk implementation, they could exchange the refresh token using `/auth/refresh` for an access token and use the token to perform actions on behalf of an unsuspecting user. This situation creates issues with accountability and non-repudiation because we can no longer have confidence that actions taken in the application were authorized or even performed by the logged-in user.

A couple of examples of this are:
– A disgruntled employee deletes all of the data to get even with a target team member before logging off on their last day
– Under the guise of their unsuspecting boss, a mischievous engineer uploads _questionable_ images that get displayed on internal or external facing content sites

The list could go on but I think these communicate the risk of an internal threat that has access to this information ð

### PoC
1. Set `LOG_STYLE=”raw”` and run Directus v9.23.1
1. Log in to the application
1. Look at the shell output and see that `directus_refresh_token` is logged
> Note: This is different from the standard `raw` output format. I intentionally ran this with `npx directus start | pino-pretty` so logs would be easier to read. It can also be reproduced by running `npx directus start` alone.

![image](https://user-images.githubusercontent.com/13325146/224877190-54e12d7e-3c3e-42d3-9e21-0bd4439f4f44.png)

1. Exchange the `directus_refresh_token` for an `access_token`

“` shell
curl -X POST
‘https://0.0.0.0:8055/auth/refresh’
–header ‘Accept: */*’
–header ‘Cookie: directus_refresh_token=$shh’
“`

### Impact
Because this can be used to exploit other threats related to [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) I rank it with a Moderate severity. An insider with knowledge of this could do many mischievous things and get away with them for a long time without victims knowing about it.Read More

References

Back to Main

Subscribe for the latest news: