FirstBlood-#117Un-Authorized access to critical users PII through the vulnerable /attendees/event.php endpoint



On 2021-05-10, holybugx reported:

Description

Hello Sean,

I found out that visiting the /hackerback.html endpoint results in an interesting inline javascript in the source code of the page:

    <script>
       function getAttendees() {
        var attending = false;

        if (attending == true) {
            sendRequest("/attendees/event.php?q=560720");
       }
    </script>

Simply opening the /attendees/event.php?q=560720 results in an empty JSON page, however, from my previous knowledge on the application I had found that visiting /drpanel/drapi/sitesettings.php leaks an interesting JSON array:

{

    "site": "firstblood",
    "process": "eventhandler",
    "x-required": [
        {
            "x-site-req": "permitted"
        },
        {
            "type": "request"
        }
    ],
    "active": true

}

I understood that x-site-req should be used as an HTTP header, so adding x-site-req: permitted to the HTTP request header of /attendees/event.php?q=560720 leads to disclosure about the "hackerbank" event, you can add the x-site-req: permitted header using burp suite:

When I was inspecting the returned JSON, I found an interesting JSON parameter "old_eventID":"560700"

So I changed the /attendees/event.php?q=560720 endpoint to /attendees/event.php?q=560700 (keeping the x-site-req: permitted header) and there are critical PII leaks of users:

An example of the critical PII leakages such as "last_4_CC":

{

    "name": "Sean R",
    "email": "[email protected]",
    "confirmed": true,
    "contactNumber": "+44 141 496 0250",
    "last_4_CC": "9090"

},

Impact

  • Critical PII Leakage of users

If you need any further assistance let me know.

Best Regards,

HolyBugx

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.