FirstBlood-#779 — Info disclosure on /vaccination-manager/api/vax-proof-list.php
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
There is a publicly available Swagger API on /vaccination-manager/api.php. The API isn't public so this swagger UI should not be public either.
This Swagger UI lets us know about endpoint /vaccination-manager/api/vax-proof-list.php. An attacker can look at PII for any user who has uploaded a proof of vaccination using this endpoint, and there is no requirement for authentication or authorisation to access the information.
Steps to reproduce
- Go to
vaccination-manager/pub/upload-vaccination-proof.php and upload a document.
- Send a get request to
/vaccination-manager/api/vax-proof-list.php and observe PII info of users who uploaded the info in step 1:
Impact
The publicly available Swagger UI gives an attacker information about a private API endpoint. Using this endpoint, the PII information of any user who uploads a proof of vaccination is accessible by anyone, without any form of authentication or authroisation.
P1 CRITICAL
Endpoint: /vaccination-manager/api/vax-proof-list.php
This report contains multiple vulnerabilities:
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php
FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure
The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php