arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
PhilSys fixes Publicly Accessible Instances
4 min read

PhilSys fixes Publicly Accessible Instances

PhilSys fixes Publicly Accessible Instances

Philippine Identification System or also known as PhilSys, is the government's central identification platform for all citizen and resident aliens of the Philippines.

As of November 20, 2020, the Philippine Statistics Authority (PSA) announced that 5,788,615 Filipinos have already completed Step 1 Registration of the Philippine Identification System (PhilSys). (Source: PSA)

The PSA is targeting 9 million Filipinos for Step 1 by the end of the year.

For this post, I will write about the security issues I discovered from PhilSys.


philsys.gov.ph

PhilSys's primary website is https:/philsys.gov.ph/ and visiting it brings us to this page:

Philsys.gov.ph's SSL certificate points to promis.philsys.gov.ph, which is why a Privacy Error page is currently shown.

The Apache2 Ubuntu Default Page will be shown if you continue to visit the site.

Now, searching for more subdomains or instances, I have decided to use Shodan with an SSL filter to better locate instances under PhilSys.gov.ph.

Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet.

I have also used the public 'Certificate Search' website to locate other instances or subdomains.

From a simple information gathering, I was able to find public instances of PhilSys and some of them could potentially expose information.

sandbox.philsys.gov.ph

The website contained multiple links.

  • Docker versions - This will redirect you to versions.txt file containing the information of Docker.
  • Pre-Registration - This will redirect you to MOSIP's Pre-registration page.
  • Admin - This will redirect you to MOSIP's admin page.
  • Registration Client Zip - Clicking this will download the source code of the registration client (https://sandbox.philsys.gov.ph/registration-client/1.1.2/reg-client.zip).
  • Keycloak - This will redirect you to https://sandbox.philsys.gov.ph/keycloak/auth/.
  • ActiveMQ - This will redirect you to https://sandbox.philsys.gov.ph/activemq/admin/
  • Minio - This will redirect you to https://sandbox.philsys.gov.ph/minio/
  • Grafana and Kibana

Please note that (as far as I remember), some links were not working.

The Registration Client is an open source project from MOSIP and you can also download the same file here: https://github.com/mosip/registration/releases/tag/v1.1.2

The PhilSys' MOSIP admin page is publicly accessible - you don't need a credential to authenticate and access it. The good thing is it doesn't contain any information.

The Kibana was publicly accessible just like the MOSIP admin page.

Kibana is an open-source data visualization and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence use cases.

All of these findings were reported to PhilSys last November 26, 2020. The domain http://sandbox.philsys.gov.ph/ is no longer accessible as of December 17, 2020.

There's actually a new one http://sandbox1.philsys.gov.ph/ and I don't know why but links are not working.

console.philsys.gov.ph

This instance contained Kibana application and you don't need to authenticate to access the collected/stored data.

Their Kibana instance contains logs which can be considered sensitive.

This was reported to PhilSys again last December 10, 2020. The domain https://console.philsys.gov.ph/ is no longer accessible as of December 17, 2020.

Recommendations to PhilSys

  • Staging, Testing, or Sandbox environment, it should be accessible internally. They may use VPN as well to access it remotely.
  • If the the instance is not for public usage, keep it private. Kibana is not for public usage so they should keep it private.
  • Implement a Web App Firewall to prevent the disclosure of Original IP address. If the original IP is exposed, malicious actors can use it to gather more information about the system.
  • Disable the registration page of some instances. I noticed that some applications' registration form are accessible and you can actually register for an account. (For example, PhilSys' NextCloud application)
  • Filter the currently open ports. There are some instances with many open ports that is accessible publicly. It would be nice if they filter it or close it if they are not using it.

Thumbnail image source: https://www.rappler.com/nation/duterte-national-identification-system-law-signing