FirstBlood-#165P2 information disclosure of the users attending the events



On 2021-05-11, iffu reported:

Summary

Hi zseano, I've just found a P2 information disclosure on /attendees/event.php endpoint.

How I found this bug

While looking out for interesting things on the target, I came across an endpoint /drpanel/drapi/sitesettings.php. When opened, I found a string X-SITE-REQ on that endpoint and understood that this might be a header since there is a family of headers starting with X (X-Forwarded-For, X-Rewrite-URL etc). To confirm this I started searching for the string X-SITE-FOR everywhere in burp and found it in one of the .js files in the function modifyAppointment(). I came to know that this is indeed a header with a value "permitted".

Then I started searching about this header to know where it is used, what is its purpose and things like that. But, I found nothing about it. And after so much of thinking, an idea struck in my mind. What if I try to put this header and its value in every request I made on burp. Then, I found something interesting on /attendees/event.php.

When I don't put this header in the request, it gives an empty response. But, when I give this header, it returns the event information. The parameter 'q' is used to input event_id.

Now, in the response, I found one more id called old_event_id. I just changed the q paramter's value to the old_event_id. Here, P2 information of users like email, contact number is being leaked.

The most important thing I leaned here is if you find anything like any new header, new paramter, try it on every endpoint you've found.

Steps to reproduce

  • Visit /attendees/event.php?q=560700
  • Capture the above request on burp.
  • Input a new header X-SITE-REQ: permitted to the request.
  • Observe that P2 information of users is being leaked

Thanks zseano and please let me know if you need any more info regarding this

Note : I've attached images for your reference

P1 CRITICAL

Endpoint: /attendees/event.php

Parameter: q

Payload: *****


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.