FirstBlood-#957[COLLAB]PII leakage via vax-proof-list API
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, mrrootsec Level 2 reported:

Dear FirstBlood security team, we found a vulnerability on your service. We hope this report will help you.

This bug is found with my collaboration partner mrroot, huge thanks to him

Summary

In /vaccination-manager/api/vax-proof-list.php endpoint, we can see PII like email, path to vaccination proof image(!), ip address and User-Agent.

We consider this is a serious information disclosure.

Vulnerability Description(PoC)

First of all, we did some recon and realized swagger.yaml file is available in /vaccination-manager/swagger.yaml.

The content of swagger.yaml is here:

openapi: 3.0.0
info:
  title: 'Vax List API'
  version: 1.0.0
servers:
  - url:
    description: Current host server
paths:
  /vaccination-manager/api/vax-proof-list.php:
    get:
      summary: 'Returns all vaccination proof records'
      description: 'Returns the full details for all vaccination proof records'
      responses:
        '200':
          description: Success

We can see there is an API path /vaccination-manager/api/vax-proof-list.php.

When we access to that endpoint, then we can see PII. In my environment, that API returns these information(I masked IP values, sorry!):

[
{
"id": 2,
"email": "[email protected]",
"proof": "ce96faae59fd7cc280485893cca711b503f10459.png",
"ip": "x.x.x.x",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
"created_at": "2021-10-27 12:43:30"
},
{
"id": 1,
"email": "[email protected]",
"proof": "0ae79116ceb93fb325b4fc8ebc3735d7432eae5f.gif",
"ip": "x.x.x.x",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
"created_at": "2021-10-27 12:24:21"
}
]

This endpoint does not have any access restriction so everybody can see other users' vaccination proof image file or email...

Note: we can see Swagger itself in/vaccination-manager/api.php.

Impact

  • everybody can see others' email address, vaccination proof image path, ip etc

Regards, kinako and mrroot

P1 CRITICAL

Endpoint: /vaccination-manager/api/vax-proof-list.php This bug makes use of the following vulnerabilities in a chain:

  • Info leak
  • Information leak/disclosure


FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php