FirstBlood-#943Endpoint discloses information about all vaccination proof records
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, 0xblackbird Level 4 reported:

Hello! I found an endpoint that discloses way more information than it actually should. The following endpoint /vaccination-manager/api/vax-proof-list.php discloses the email-address, proof image filename, public Ip-address and user-agent of users who've made use of the functionality.

Steps to reproduce

  • First of all, to view the info, we need to submit information (this can be done by anyone). Navigate to /vaccination-manager/pub/upload-vaccination-proof.php and upload any image + fill in a valid email-address.

  • From the swagger.yaml, we can see that there's an endpoint that returns all the information of users who've submitted something in the form.

  • Requesting the endpoint gives us the following:

  • As you can see, all the information we entered before is available for everyone here, including the proof itself which we can request here: /upload/{hash}.jpg

Kind regards,
0xblackbird

P1 CRITICAL

Endpoint: /vaccination-manager/api/vax-proof-list.php This bug makes use of the following vulnerabilities in a chain:

  • Info leak
  • Information leak/disclosure


FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php