arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Publicly Accessible Instance of FASSSTER leads to Disclosure of Information (RESOLVED)
4 min read

Publicly Accessible Instance of FASSSTER leads to Disclosure of Information (RESOLVED)

Publicly Accessible Instance of FASSSTER leads to Disclosure of Information (RESOLVED)

FASSSTER

FASSSTER, short for Feasibility Analysis of Syndromic Surveillance Using Spatio-Temporal Epidemiological Modeler For Early Detection of Diseases, is a web application used by the Inter-Agency Task Force (IATF) to analyze aggregated data to make recommendations to the government.

The FASSSTER contained security vulnerabilities in their web application that enable anyone to access sensitive details stored in their server.

The picture shown below shows that FASSSTER is part of the Coordinated COVID Response System of the Inter-Agency Task Force (IATF).

TECHNICAL FINDINGS

On July 15, 2020, when searching for PH-based web instances via Shodan, I discovered a public instance under the Ateneo de Manila University organization.

Figure 1: Result of FASSSTER from Shodan using the query http.title:"Index of /" country:"PH"
Figure 2: Result of FASSSTER from Shodan using the query http.title:"Index of /" country:"PH"

In the following section, I present my findings from the publicly accessible instance.

Directory Listing - CWE-548

Directory listing is a function that shows the contents of a certain directory when there is no specified index file. It is risky to leave this enabled to the web server because it leads to the disclosure of details.

You will be greeted with several directories and files when you visit http://202.125.102.51. This is due to the enabled Directory Listing.

Figure 3: Website lists the folders and files of FASSSTER

You will be given the following details about FASSSTER's server by accessing the phpinfo.php file.

Figure 4: Access phpinfo.php displays some information about its server

Looking for more sensitive files, I found a folder containing the web server's real-time logs.

Figure 5. Publicly accessible log file of FASSSTER API

Enabled Debug Mode - CWE:1295

Debug mode is a feature for most web application which help software engineers in identifying the issues in their code. However, leaving it enabled upon deployment to production exposes sensitive information such as credentials and information about the application..

Checking other folders and files, I confirmed that there were some important details about the FASSSTER's server and web application.

The folder fassster-covid19 contains sensitive files of their API. It was accessible by visiting this URL http://202.125.102.51/fassster-covid19/. The equivalent of that URL in their live environment was https://fassster.ehealth.ph/fassster-covid19.

Inside the folder, there was a file called server.php which contains errors that leads to exposure of email and database credentials.

Figure 6. Debug page shows credentials of their mail account and database.

The same information will be returned by accessing the live environment https://fassster.ehealth.ph/fassster-covid19/public/api/user.

Figure 7. Live environment shows the same debug page from figure 6.

Moreover, I also discovered Tanod-related credential in a public config file.

Figure 8: Hardcoded User and Pass for Tanod in config.js file

Personal Information Leakage - CWE:538

The web application places sensitive information into files or directories that are publicly accessible to any actors.

Some backup files that hold some users' PII files were also discovered.

Figure 9. A file containing some information of patients?

And after researching, I also found out that Google was able to cache it.

Figure 10: Google result shows the accessible backup folder of FASSSTER

Vulnerability Disclosure

July 15, 2020 1:20 AM - I emailed the National Computer Emergency Response Team (NCERT) at [email protected] regarding the issues I identified with the web app since this project is related to the Government. The email contained necessary details and recommendations to fix the identified issues.

July 15, 2020 4:05 AM - I received a response from Mr. Alwell of NCERT stating We will coordinate with the affected organization as soon as possible today. thank you for reporting this issue to us.

After that, I haven't received any reply from them.

More than a month has passed and the issue was still there (around August).

My friend and teammate in the hackstreetboys group, James P , knows a friend working with FASSSTER under the Systems Development team. He also informed me that he was told that they already fixed the issue regarding exposed credential in config.js and backup files. He then asked me if I can forward the email I sent to NCERT to his friend. So I forwarded the email.

End.