FirstBlood-#1632Information disclosure
This issue was discovered on FirstBlood v3



On 2022-12-12, srb1mal Level 4 reported:

Hello sean, Summary - I found an info disclosure on /api/locations.php endpoint with location parameter.

Steps to reproduce -

  1. Visit https://057253f90d39-srb1mal.a.firstbloodhackers.com/api/locations.php?location=chicago & it says it leaked some kind of private data which i don't know where to use.

POC -

Thanks & Regards, srb1mal

P2 High

Endpoint: /api/locations.php

Parameter: location

Payload: chicago


FirstBlood ID: 62
Vulnerability Type: Access_control

The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3