From an error message to DB disclosure

Hey everyone,

Welcome on my first write-up. Today, I would like to share a simple but interesting bug I found some months ago on a public program.

During my recon process, I discovered on a subdomain, a PHP file with an error message like this :

We can see two main things on this screenshot, an URL pointing to mongolab.com and in this URL an Api Key.

My first reflex was to check what is mongolab, according to their website :

mLab is the leading Database-as-a-Service for MongoDB, powering over half a million deployments worldwide.

Oh a database service, interesting. Let’s go to check what is the « API key » functionality.

According to the documentation :

It’s nice but we need to check if the API key is valid or not. I used the request provided by the documentation :

https://api.mlab.com/api/1/databases?apiKey=[KEY]

And …

Nice, I can print the databases. But to be a valid issue, I need to verify if I can gain access to sensitive data. I played with the resources provided by the documentation and finally :

To conclude, read carrefully error messages, they can contain interresting data and can lead to more serious issue.

Timeline:

2018/02/15: Submitted

2018/02/15: Need more infos

2018/02/15: Additional informations provided

2018/02/21: Triaged

2018/03/02: Resolved

I hope you enjoyed this reading !

Yumi

Thanks to: Cinabre, Yothard