FirstBlood-#915List of vaccination disclosure
This issue was discovered on FirstBlood v2.0.0 (issues patched)

On 2021-10-30, vigilante Level 4 reported:


The /api/vax-proof-list.php leaks sensitive information.

After rooting the server through deserialization, I've searched through the vaccination-manager directory and found /api/vax-proof-list.php endpoint which can by accessed by unauthenticated users.

Steps to Reproduce:

  1. Navigate to /api/vax-proof-list.php
  2. See sensitive information like email, proof image and ip address.
GET /vaccination-manager/api/vax-proof-list.php HTTP/1.1
Cookie: vaccination_manager=1169e091578618a592da0af78e85defa2760148f89bff98baf1aea6e22226668; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a1591376de74895e99a25819f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Te: trailers
Connection: close

Supporting Material:


This shouldn't be available to users that haven't logged in to the vaccination-manager portal.


Endpoint: /api/vax-proof-list.php

Parameter: n/a

Payload: n/a

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php