FirstBlood-#915 — List of vaccination disclosure
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-30, vigilante reported:
The /api/vax-proof-list.php leaks sensitive information.
After rooting the server through deserialization, I've searched through the vaccination-manager directory and found /api/vax-proof-list.php endpoint which can by accessed by unauthenticated users.
Steps to Reproduce:
- Navigate to /api/vax-proof-list.php
- See sensitive information like email, proof image and ip address.
GET /vaccination-manager/api/vax-proof-list.php HTTP/1.1 Host: 71db6da74f3c-vigilante.a.firstbloodhackers.com Cookie: vaccination_manager=1169e091578618a592da0af78e85defa2760148f89bff98baf1aea6e22226668; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a1591376de74895e99a25819f User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Cache-Control: max-age=0 Te: trailers Connection: close
This shouldn't be available to users that haven't logged in to the vaccination-manager portal.
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php