BugBountyHunter

Description

Hello Sean,

Sensitive information about user's vaccination proofs is leaked through the exposed /vaccination-manager/api/vax-proof-list.php API endpoint. Proper authorization checks are not implemented on the API endpoint, which makes this attack possible. User's Email Addresses, IP Addresses, User-Agents and Vaccination Proofs are leaked using this vulnerability.

The Swagger API exposes the /vaccination-manager/api/vax-proof-list.php API endpoint which doesn't contain any authorization.

The Swagger API is accessible through several paths. Some of which are:

/vaccination-manager/api.php
/vaccination-manager/swagger.yaml

Steps To Reproduce

1. Open the following URL to gain access to all vaccination proofs shared by users:

https://firstbloodhackers.com/vaccination-manager/api/vax-proof-list.php

Exploitation

Here is an example leakage from the mentioned API endpoint:

{
   "id":8,
   "email":"[email protected]",
   "proof":"e36be8443f5dd330837f4876d1934915f702b69e.png",
   "ip":"134.19.185.123",
   "user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko\/20100101 Firefox\/93.0",
   "created_at":"2021-10-26 17:33:34"
}

An attacker can view the other user's vaccination proof using their leaked proof. It is possible to use the leaked proof's in the following format:

https://firstbloodhackers.com/upload/:proof

Impact

• User's Vaccination Proofs leakage, containing their Email address, IP Address, User-Agents and Proofs Images.

Remediation

• Implementing proper authorization to access the /vaccination-manager/api/vax-proof-list.php API endpoint.

Kind Regards,

HolyBugx