FirstBlood-#643[COLLAB with isitbug] Information disclosure on multiple API endpoints
This issue was discovered on FirstBlood v2

On 2021-10-26, shreky Level 5 reported:

correction to title -> API endpoint leaks patient PII (sry was in a rush lol)

Summary

Upon accessing /vaccination-manager/swagger.yaml,the following is given back in the response:

openapi: 3.0.0
info:
  title: 'Vax List API'
  version: 1.0.0
servers:
  - url:
    description: Current host server
paths:
  /vaccination-manager/api/vax-proof-list.php:
    get:
      summary: 'Returns all vaccination proof records'
      description: 'Returns the full details for all vaccination proof records'
      responses:
        '200':
          description: Success

Which references the following endpoint --> /vaccination-manager/api/vax-proof-list.php which discloses patients' id,emails,IPs,user-agent and their proof image file name(guid). This sensitive endpoint can also be obtained through the Swagger UI available at /vaccination-manager/api.php.

Steps to reproduce

  1. Visit /vaccination-manager/api/vax-proof-list.php

Impact

This API endpoint is publicly accessible and leaks patients PII.

PII Disclosure -->

Swagger UI that also discloses the sensitive endpoint -->

P1 CRITICAL

Endpoint: /vaccination-manager/api/vax-proof-list.php

This report contains multiple vulnerabilities:

  • Info leak
  • Information leak/disclosure

FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure

The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php

FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure

The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php