FirstBlood-#732User can upload infinite times vaccination certificate with same email leads to app/business Logic failure.
This issue was discovered on FirstBlood v2



On 2021-10-27, vishal Level 2 reported:

Description: One User can upload infinite times diff diff vaccination certificate with same email leads to app/business Logic failure.

Step's to Reproduce:

  1. Go to /vaccination-manager/pub/upload-vaccination-proof.php
  2. fill valid email address and submit valid image file less then 2mb size.
  3. capture the request and send it to intruder . To repeat the request multiple times i have add part of user-agent as a payload set and in payload type.

  1. I have chosen number's from 1 to 100 with step to generate 100 upload request's. Now start attack & wait till all requests are send.

  2. Now log in at /vaccination-manager/login.php and login with username admin and password =' or ''=' (refer to report https://www.bugbountyhunter.com/hackevents/report?id=712 if required)

All done you will see that all the report were uploaded on database .

Impact: Vaccination certificate is something unique to someone It's in some case used for verification purpose as well in some countries. Logically it doesn't make sense one use could even have more then 2 certificate where i was able to upload 300+ (maybe it's possible till is full the storage and put the server into denial of service).

basically it is impacting majorly in 3 way i guess.

  1. Allowing data ambiguity & legitimacy.
  2. Denial of service (as it will definitely at a point going to full the storage if we upload a 1.99mb image file 2M or more times i guess server storage will stop working for genuine user's . data availability will be affected.)
  3. one user is supposed to have only one vaccination certificate where in my finding one use can upload as many diff-diff certificate as he want's with the same email id.

Lastly if anything missing just let me know regards- Vishal

P5 Informative

Endpoint: /vaccination-manager/pub/submit-vaccination-proof.php

Parameter: none

Payload: anything

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback

@zseano

Creator & Administrator


Accepted as informative.