FirstBlood-#1607Infomation Disclosure about private locations
This issue was discovered on FirstBlood v3

On 2022-12-12, xnl-h4ck3r Level 4 reported:


There is an information disclosure vulnerability that leaks details of private locations to any user without any need for authentication.

The home page shows that locations are in Chicago and Seattle, but the details of the location should be private unless a user has a confirmed booking.

However, this can be viewed by anyone without having to make a booking.

Steps to Reproduce

  1. Go to endpoint /api/locations.php?location=chicago

  2. Go to endpoint /api/locations.php?location=seattle


Data that is intended to be private is available for any user to view.

P2 High

Endpoint: /api/locations.php

Parameter: location

Payload: chicago & seattle

FirstBlood ID: 62
Vulnerability Type: Access_control

The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3