BugBountyHunter

Hey mate,

I found from the previous report Deserialization to RCE and using 'ls *' as the payload we can get a directory listing which shows us theres a login/logout and portal endpoint in the /vaccination-manager/ directory. On this login page it is possible to enumerate valid usernames via different error messages. Also viewing the endpoint /vaccination-manager/portal.php in the response you can see it Sets a cookie to be deleted called vaccination_manager I haven't found a use for this just yet though!

UPDATE: While this is initially reported as being able to enumerate valid users (which we can do) we can also now bypass the login using a SQL Injection

Impact:

Impact was initilly low because we are able to successfully enumerate valid usernames.

However we can bypass the login panel using SQL Injection which allows us to view all uploaded vaccination proof's along with emails and IP's

Steps to reproduce:

• Visit the endpoint /vaccination-manager/login.php and Enter incorrect credentials like test:test

You will see "User does not exist"

However if we enter a valid username we get "Invalid username or password"

And so we can successfully confirm there is an admin account.

Additional Information:

I was able to bypass the login using the username admin and the password as a SQL statement ' OR 1=1#

Request & Response:

Best Regards,

Amec0e.

In Collaboration with thebinarybot