A few months ago, I discovered and reported two (2) vulnerabilities to PhilSys.
On April 27, 2021, three (3) days before the official launch of PhilSys' Online Registration Website, I discovered a critical vulnerability in their UAT Environment.
Proof of Concept
People are sharing the PhilSys post (linked below) about the upcoming launch of their ONLINE REGISTRATION website.
As a security researcher and concerned data subject, I quickly checked the available subdomains of philsys.gov.ph using an online website and discovered the subdomain named register.philsys.gov.ph.
Using the information I gathered from previous vulnerabilities, I quickly discovered the new critical vulnerability affecting the live environment of PhilSys.
PhilSys’ online registration website uses Spring Boot Actuator and it was publicly accessible.
Spring Boot Actuator is mainly used to expose operational information about the running application — health, metrics, info, dumps, env, httptrace, etc. It uses HTTP endpoints or JMX beans to enable us to interact with it.
The main link to access PhilSys' actuator was
https://register.philsys.gov.ph/preregistration/v1/actuator/. By default, all Actuator endpoints are placed under the
Let's have a look at some available endpoints in the actuator of PhilSys.
auditevents- Exposes audit events information for the current application
beans- returns all available beans in our BeanFactory
health- summarizes the health status of our application
conditions- formerly known as
/autoconfig, builds a report of conditions around autoconfiguration
configprops- allows us to fetch all @ConfigurationProperties beans
info- returns general information. It might be custom data, build information or details about the latest commit
loggers- enables us to query and modify the logging level of our application
threaddump- dumps the thread information of the underlying JVM
prometheus- returns metrics, but formatted to work with a Prometheus server
metrics- details metrics of our application. This might include generic metrics as well as custom ones.
scheduledtasks- provides details about every scheduled task within our application
mappings- displays a collated list of all @RequestMapping paths.
env- returns the current environment properties. Additionally, we can retrieve single properties.
heapdump- builds and returns a heap dump from the JVM used by our application
httptrace- displays HTTP trace information
The last three (3) endpoints contains sensitive information about the website application and its users.
In this endpoint, I discovered some domains, IP addresses, Database IP and port, Link of their GitHub repository, and other information.
In this endpoint, I discovered sensitive information such as secretKeys, passwords, database IP and port.
Since I have a copy of their whole source code from the vulnerability I reported last March 2021, I noticed that they never changed the exposed and potentially compromised passwords and secretKeys.
In this endpoint, I discovered sensitive information such as Authorization Token of users who registered for PhilSys, their IP address, the system's IP address, cookies, and user's PhilSys registration ID.
Since I can see the Authorization Token of the user and its registration ID, I copied these information and was able to retrieve the information of the user.
So whenever a user registers for a PhilSys account, their HTTP requests containing authorization token and registration ID will be stored/logged in
This vulnerability could allow a malicious user to access sensitive system information and retrieve users' PII just by visiting the public links.
Attackers could also modify the config. Read more here: https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
This kind of severe issue must be fixed immediately.
In fact, a company named LINE had a similar issues last year and they fixed it within 24 hours due to its severity, and they awarded reporters with $5,000 and $12,500 bounty.
The following documents my communications related to the disclosure of the issues I identified in this report.
- April 27, 2021 10:58 pm - I discovered the vulnerability.
- April 27, 2021 11:19 pm - After creating a quick documentation, I reported it to PhilSys through via someone who is working with them.
- April 28, 2021 12:35 am - I confirmed that the issue has been fixed.
- April 28, 2021 12:43 am - Someone relayed the thank you message from PhilSys.
- April 28, 2021 3:00 am - Full Disclosure
Recommendation to PhilSys
- Please do change the secretKeys and passwords...
- Check for sensitive folders and files or open services and remove or close them before you deploy online.