Hi zseano, I've just found a P2 information disclosure on /attendees/event.php endpoint.
How I found this bug
While looking out for interesting things on the target, I came across an endpoint /drpanel/drapi/sitesettings.php. When opened, I found a string X-SITE-REQ on that endpoint and understood that this might be a header since there is a family of headers starting with X (X-Forwarded-For, X-Rewrite-URL etc). To confirm this I started searching for the string X-SITE-FOR everywhere in burp and found it in one of the .js files in the function modifyAppointment(). I came to know that this is indeed a header with a value "permitted".
Then I started searching about this header to know where it is used, what is its purpose and things like that. But, I found nothing about it. And after so much of thinking, an idea struck in my mind. What if I try to put this header and its value in every request I made on burp. Then, I found something interesting on /attendees/event.php.
When I don't put this header in the request, it gives an empty response. But, when I give this header, it returns the event information. The parameter 'q' is used to input event_id.
Now, in the response, I found one more id called old_event_id. I just changed the q paramter's value to the old_event_id. Here, P2 information of users like email, contact number is being leaked.
The most important thing I leaned here is if you find anything like any new header, new paramter, try it on every endpoint you've found.
Steps to reproduce
- Visit /attendees/event.php?q=560700
- Capture the above request on burp.
- Input a new header X-SITE-REQ: permitted to the request.
- Observe that P2 information of users is being leaked
Thanks zseano and please let me know if you need any more info regarding this
Note : I've attached images for your reference