FirstBlood-#643[COLLAB with isitbug] Information disclosure on multiple API endpoints
This issue was discovered on FirstBlood v2

On 2021-10-26, shreky Level 5 reported:

correction to title -> API endpoint leaks patient PII (sry was in a rush lol)


Upon accessing /vaccination-manager/swagger.yaml,the following is given back in the response:

openapi: 3.0.0
  title: 'Vax List API'
  version: 1.0.0
  - url:
    description: Current host server
      summary: 'Returns all vaccination proof records'
      description: 'Returns the full details for all vaccination proof records'
          description: Success

Which references the following endpoint --> /vaccination-manager/api/vax-proof-list.php which discloses patients' id,emails,IPs,user-agent and their proof image file name(guid). This sensitive endpoint can also be obtained through the Swagger UI available at /vaccination-manager/api.php.

Steps to reproduce

  1. Visit /vaccination-manager/api/vax-proof-list.php


This API endpoint is publicly accessible and leaks patients PII.

PII Disclosure -->

Swagger UI that also discloses the sensitive endpoint -->


Endpoint: /vaccination-manager/api/vax-proof-list.php

This report contains multiple vulnerabilities:

  • Info leak
  • Information leak/disclosure

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php