From an error message to DB disclosure

Yumi
Yumi
Apr 17, 2018 · 2 min read

Hey everyone,

Welcome on my first write-up. Today, I would like to share a simple but interesting bug I found some months ago on a public program.

During my recon process, I discovered on a subdomain, a PHP file with an error message like this :

Image for post
Image for post

We can see two main things on this screenshot, an URL pointing to mongolab.com and in this URL an Api Key.

My first reflex was to check what is mongolab, according to their website :

mLab is the leading Database-as-a-Service for MongoDB, powering over half a million deployments worldwide.

Oh a database service, interesting. Let’s go to check what is the « API key » functionality.

According to the documentation :

Image for post
Image for post

It’s nice but we need to check if the API key is valid or not. I used the request provided by the documentation :

https://api.mlab.com/api/1/databases?apiKey=[KEY]

And …

Image for post
Image for post

Nice, I can print the databases. But to be a valid issue, I need to verify if I can gain access to sensitive data. I played with the resources provided by the documentation and finally :

Image for post
Image for post
Image for post
Image for post

To conclude, read carrefully error messages, they can contain interresting data and can lead to more serious issue.

Timeline:

2018/02/15: Submitted

2018/02/15: Need more infos

2018/02/15: Additional informations provided

2018/02/21: Triaged

2018/03/02: Resolved

I hope you enjoyed this reading !

Yumi

Thanks to: Cinabre, Yothard

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store