FirstBlood-#165 — P2 information disclosure of the users attending the events
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, iffu reported:
Hi zseano, I've just found a P2 information disclosure on /attendees/event.php endpoint.
How I found this bug
While looking out for interesting things on the target, I came across an endpoint /drpanel/drapi/sitesettings.php. When opened, I found a string X-SITE-REQ on that endpoint and understood that this might be a header since there is a family of headers starting with X (X-Forwarded-For, X-Rewrite-URL etc). To confirm this I started searching for the string X-SITE-FOR everywhere in burp and found it in one of the .js files in the function modifyAppointment(). I came to know that this is indeed a header with a value "permitted".
Then I started searching about this header to know where it is used, what is its purpose and things like that. But, I found nothing about it. And after so much of thinking, an idea struck in my mind. What if I try to put this header and its value in every request I made on burp. Then, I found something interesting on /attendees/event.php.
When I don't put this header in the request, it gives an empty response. But, when I give this header, it returns the event information. The parameter 'q' is used to input event_id.
Now, in the response, I found one more id called old_event_id. I just changed the q paramter's value to the old_event_id. Here, P2 information of users like email, contact number is being leaked.
The most important thing I leaned here is if you find anything like any new header, new paramter, try it on every endpoint you've found.
Steps to reproduce
- Visit /attendees/event.php?q=560700
- Capture the above request on burp.
- Input a new header X-SITE-REQ: permitted to the request.
- Observe that P2 information of users is being leaked
Thanks zseano and please let me know if you need any more info regarding this
Note : I've attached images for your reference
FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure
/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.