FirstBlood-#174 — [Two Tales of Info leak] Site setting can be accessed and leaked a "x-site-req" header. This header can be used to get HackerBack event attendees info.
This issue was discovered on FirstBlood v1
On 2021-05-11, bobbylin Level 4 reported:
The Two Tales of Information Leakage :
-
In the doctor panel, we can see that there is a sitesettings
value in the JS code.
-
Try appending with some common file extensions: js, txt, yml, config, php, html, etc. Only the php shows some response.
-
If we navigate to /drpanel/drapi/sitesettings.php
endpoint, it will return a response that shows a HTTP header: {"site":"firstblood","process":"eventhandler","x-required":[{"x-site-req":"permitted"},{"type":"request"}],"active":true}
-
In the HackerBack event page, there is another info leak on the "attendees of the event" endpoint.
- The event endpoint will return blank with response 200. So we know that this endpoint exists.
- If we tried adding the "x-site-req" endpoint, we can retrieve event information. But this event id (/attendees/event.php?q=560720) does not return sensitive PII. However, it leaked out the old event id "560700".
- The old event id will leak PII information of the attendees such as number, email, last_4_CC and contact number.
P1 CRITICAL
Parameter:
Payload:
FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure
/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.