FASSSTER, short for Feasibility Analysis of Syndromic Surveillance Using Spatio-Temporal Epidemiological Modeler For Early Detection of Diseases, is a web application used by the Inter-Agency Task Force (IATF) to analyze aggregated data to make recommendations to the government.
The FASSSTER contained security vulnerabilities in their web application that enable anyone to access sensitive details stored in their server.
The picture shown below shows that FASSSTER is part of the Coordinated COVID Response System of the Inter-Agency Task Force (IATF).
On July 15, 2020, when searching for PH-based web instances via Shodan, I discovered a public instance under the Ateneo de Manila University organization.
In the following section, I present my findings from the publicly accessible instance.
Directory Listing - CWE-548
Directory listing is a function that shows the contents of a certain directory when there is no specified index file. It is risky to leave this enabled to the web server because it leads to the disclosure of details.
You will be greeted with several directories and files when you visit http://188.8.131.52. This is due to the enabled Directory Listing.
You will be given the following details about FASSSTER's server by accessing the phpinfo.php file.
Looking for more sensitive files, I found a folder containing the web server's real-time logs.
Enabled Debug Mode - CWE:1295
Debug mode is a feature for most web application which help software engineers in identifying the issues in their code. However, leaving it enabled upon deployment to production exposes sensitive information such as credentials and information about the application..
Checking other folders and files, I confirmed that there were some important details about the FASSSTER's server and web application.
The folder fassster-covid19 contains sensitive files of their API. It was accessible by visiting this URL http://184.108.40.206/fassster-covid19/. The equivalent of that URL in their live environment was https://fassster.ehealth.ph/fassster-covid19.
Inside the folder, there was a file called server.php which contains errors that leads to exposure of email and database credentials.
The same information will be returned by accessing the live environment https://fassster.ehealth.ph/fassster-covid19/public/api/user.
Moreover, I also discovered Tanod-related credential in a public config file.
Personal Information Leakage - CWE:538
The web application places sensitive information into files or directories that are publicly accessible to any actors.
Some backup files that hold some users' PII files were also discovered.
And after researching, I also found out that Google was able to cache it.
July 15, 2020 1:20 AM - I emailed the National Computer Emergency Response Team (NCERT) at [email protected] regarding the issues I identified with the web app since this project is related to the Government. The email contained necessary details and recommendations to fix the identified issues.
July 15, 2020 4:05 AM - I received a response from Mr. Alwell of NCERT stating
We will coordinate with the affected organization as soon as possible today. thank you for reporting this issue to us.
After that, I haven't received any reply from them.
More than a month has passed and the issue was still there (around August).
My friend and teammate in the hackstreetboys group, James P , knows a friend working with FASSSTER under the Systems Development team. He also informed me that he was told that they already fixed the issue regarding exposed credential in config.js and backup files. He then asked me if I can forward the email I sent to NCERT to his friend. So I forwarded the email.