Use of GET Request Method With Sensitive Query Strings in fisharebest/webtrees


Reported on

Sep 5th 2021

✍️ Description

Sensitive data including username and email address is passed as query strings through GET request during registration. When the given email or username exists the database at the time of user registration, The application passes the given username and email address through GET request to the server.

🕵️‍♂️ Proof of Concept

GET Request

💥 Impact

Information exposure through query strings in URL is when sensitive data is passed to parameters in the URL. This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data. Simply using HTTPS does not resolve this vulnerability.


We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 years ago
Greg Roach validated this vulnerability 2 years ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach marked this as fixed with commit ad5316 2 years ago
Greg Roach has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation