Description

While looking at the hackerback event, I noticed the seats are full. Looking at the source code revealed an endpoint /attendees/event.php?q=. I tried visiting it but could not get any information back. Later I found that this endpoint actually require a header X-Site-Req with value permitted. By adding this header, I was able to retrieve the information about this event and who has attended this event before. The information contained Name, Email, Contact No & last_4_CC, which I think is the last 4 digits of credit card. A quick google search revealed that last 4 digits of CC can be used to lookup the purchases made on that card and a few more validation functions.

How did I found the header?

Well if you visit the endpoint /drpanel/drapi/sitesettings.php, you will get this header in response. I just tried it out of curiosity on above endpoint & it worked!

Please Note that, although the /drpanel/drapi/sitesettings.php is meant for just the admin user, it can be accessed by an unauthorized person as well!

Steps to reproduce

1. By running the burp, visit the endpoint provided in the source code of hackerback.html, i.e:/attendees/event.php?q=560720`
2. Send the above request to repeater & add the header like this: X-Site-Req: permitted in the request headers.
3. Send this request. You will get the information in response.
4. There you will see another Id (previous event's Id). Use that as the value of q parameter.
5. In response you will see the information regarding the attendees.

Impact

This bug is disclosing the PII of people who attended this event. This is against the confidentiality of someone's information. People usually don't like to share such information (about their health) with public, but because of this bug a malicious user not only finds out who has such issues, but also their emails, contact no and CC numbers (4 digits) too!