FirstBlood-#146Leak PII through the events API



On 2021-05-10, jomar reported:

Description

Hello :) With my friend Serizao, after some research I was able to find a way to leak user information through the event API.

By going to the page hackerback and observing its source code, it is possible to see that under certain conditions a request is made on the page /attendees/event.php?q=560720 :

When you go to this page, you simply get a 200 response but with empty content, so the page does exist but something is missing to query it.

By looking at the requests made when using the application and after trying different parameters, methods etc. I could see that all the other requests use the header X-SITE-REQ: permitted in order to make the request.

By adding this header, it is possible to have access to a first version of the response, it is then possible to observe that the event also has an old_eventID, using this ID, it is possible to have access to PII

Impact

  • An unauthenticated standard user is able to access PII

Remediation

  • This endpoint should certainly not be accessible to a standard user, it would be necessary to add an additional header with an API key or perform a check on the cookie to verify that the user is authenticated on the administration space and has the necessary privileges.

P1 CRITICAL

Endpoint: /attendees/event.php?q=560720

Parameter: X-SITE-REQ: permitted

Payload: See report


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.