FirstBlood-#800 — Information about vaccination proof can be accessed by any user via /vaccination-manager/api/vax-proof-list.php endpoint
This issue was discovered on FirstBlood v2
On 2021-10-28, panya Level 7 reported:
After some recon I discovered exposed sagger-ui interface at /vaccination-manager/api.php
(list of the vaccination manager API endpoints also could be accessed via /vaccination-manager/swagger.yaml
file).
This endpoint doesn't have any access control and can be accessed by any user (even without authentication on /vaccination-manager/login.php
).
This swagger ui reveals one endpoint /vaccination-manager/api/vax-proof-list.php
which returns all information about vaccination proofs (including users emails, proof images, ip addresses and user-agents). For example:
[{
"id": 1,
"email": "test@test.com",
"proof": "6874beb42b978ed26dd38e77f5ea4a1d3dbe4eaf.jpg",
"ip": "157.230.125.192",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
"created_at": "2021-10-28 18:45:54"
}]
This endpoint has broken access control (any user of the site can access it).
Impact:
An attacker could get PII of users of the site.
P1 CRITICAL
Endpoint: /vaccination-manager/api/vax-proof-list.php
This report contains multiple vulnerabilities:
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php
FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure
The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php