FirstBlood-#800Information about vaccination proof can be accessed by any user via /vaccination-manager/api/vax-proof-list.php endpoint
This issue was discovered on FirstBlood v2

On 2021-10-28, panya Level 7 reported:

After some recon I discovered exposed sagger-ui interface at /vaccination-manager/api.php (list of the vaccination manager API endpoints also could be accessed via /vaccination-manager/swagger.yaml file).

This endpoint doesn't have any access control and can be accessed by any user (even without authentication on /vaccination-manager/login.php).

This swagger ui reveals one endpoint /vaccination-manager/api/vax-proof-list.php which returns all information about vaccination proofs (including users emails, proof images, ip addresses and user-agents). For example:

[{
  "id": 1,
  "email": "[email protected]",
  "proof": "6874beb42b978ed26dd38e77f5ea4a1d3dbe4eaf.jpg",
  "ip": "157.230.125.192",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
  "created_at": "2021-10-28 18:45:54"
}]

This endpoint has broken access control (any user of the site can access it).

Impact:

An attacker could get PII of users of the site.

P1 CRITICAL

Endpoint: /vaccination-manager/api/vax-proof-list.php

This report contains multiple vulnerabilities:

  • Info leak
  • Information leak/disclosure

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php