FirstBlood-#672Leaked proofs of vaccination on /vaccination-manager/api/vax-proof-list.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, 0x1452 Level 3 reported:

Hey!

I found the endpoint /vaccination-manager/api/vax-proof-list.php which leaks information about all the submitted proofs of vaccination, including the email, image URL and the IP:

[
    {
        "id": 5,
        "email": "[email protected]",
        "proof": "44a7ed633875604d9fc87d1bfb77004bd1e3dc40.jpg",
        "ip": "<ip>",
        "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/95.0.4638.54 Safari\/537.36",
        "created_at": "2021-10-27 08:37:15"
    },
    // ...
]

This API endpoint is documented on the Swagger documentation you can find at /vaccination-manager/api.php. While that's not a vulnerability in itself, these should usually not be publically accessible (unless your API is supposed to be public).

Impact

Attackers can fetch a list of all submitted proofs of vaccination and additional information about the person who submitted it.

P1 CRITICAL

Endpoint: /vaccination-manager/api/vax-proof-list.php This bug makes use of the following vulnerabilities in a chain:

  • Info leak
  • Information leak/disclosure


FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php