FirstBlood-#957 — [COLLAB]PII leakage via vax-proof-list API
This issue was discovered on FirstBlood v2
On 2021-10-27, mrrootsec Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Dear FirstBlood security team, we found a vulnerability on your service.
We hope this report will help you.
This bug is found with my collaboration partner mrroot, huge thanks to him
Summary
In /vaccination-manager/api/vax-proof-list.php endpoint, we can see PII like email, path to vaccination proof image(!), ip address and User-Agent.
We consider this is a serious information disclosure.
Vulnerability Description(PoC)
First of all, we did some recon and realized swagger.yaml file is available in /vaccination-manager/swagger.yaml.
The content of swagger.yaml is here:
openapi: 3.0.0
info:
title: 'Vax List API'
version: 1.0.0
servers:
- url:
description: Current host server
paths:
/vaccination-manager/api/vax-proof-list.php:
get:
summary: 'Returns all vaccination proof records'
description: 'Returns the full details for all vaccination proof records'
responses:
'200':
description: Success
We can see there is an API path /vaccination-manager/api/vax-proof-list.php.
When we access to that endpoint, then we can see PII.
In my environment, that API returns these information(I masked IP values, sorry!):
[
{
"id": 2,
"email": "[email protected]",
"proof": "ce96faae59fd7cc280485893cca711b503f10459.png",
"ip": "x.x.x.x",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
"created_at": "2021-10-27 12:43:30"
},
{
"id": 1,
"email": "[email protected]",
"proof": "0ae79116ceb93fb325b4fc8ebc3735d7432eae5f.gif",
"ip": "x.x.x.x",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
"created_at": "2021-10-27 12:24:21"
}
]
This endpoint does not have any access restriction so everybody can see other users' vaccination proof image file or email...
Note: we can see Swagger itself in/vaccination-manager/api.php.
Impact
- everybody can see others' email address, vaccination proof image path, ip etc
Regards,
kinako and mrroot
P1 CRITICAL
Endpoint: /vaccination-manager/api/vax-proof-list.php
This report contains multiple vulnerabilities:
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php
FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure
The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php