Adlisting Classified Ads 2.14.0 - WebPage Content Information Disclosure

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2023-08-08 
# Exploit Title: Adlisting Classified Ads 2.14.0 - WebPage Content Information Disclosure
# Exploit Author: CraCkEr
# Date: 25/07/2023
# Vendor: Templatecookie
# Vendor Homepage: https://templatecookie.com/
# Software Link: https://templatecookie.com/demo/adlisting-classified-ads-script
# Version: 2.14.0
# Tested on: Windows 10 Pro
# Impact: Sensitive Information Leakage
# CVE: CVE-2023-4168


## Description

Information disclosure issue in the redirect responses, When accessing any page on the website,
Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects.


## Steps to Reproduce:

When you visit any page on the website, like:

https://website/ad-list?category=electronics
https://website/ad-list-search?page=2
https://website/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword=

in the body page response there's information leakage for

+---------------------+
google_map_key
api_key
auth_domain
project_id
storage_bucket
messaging_sender_id
app_id
measurement_id
+---------------------+


Note: The same information leaked, such as the API keys, server keys, and app ID, was added to the "Firebase Push Notification Configuration" in the Administration Panel.

Settings of "Firebase Push Notification Configuration" in the Administration Panel, on this Path:

https://website/push-notification (Login as Administrator)



[-] Done


Adlisting Classified Ads 2.14.0 – WebPage Content Information Disclosure: A Critical Security Vulnerability

On July 25, 2023, a significant security flaw was disclosed in Adlisting Classified Ads 2.14.0, a widely used web application framework developed by Templatecookie. The vulnerability, identified as CVE-2023-4168, exposes sensitive configuration data through redirect responses, potentially compromising the integrity of the entire application ecosystem.

Understanding the Vulnerability

The core issue lies in improper handling of redirect responses within the application’s routing mechanism. When users access any public page—such as listing ads, searching, or browsing categories—the server returns a redirect response that includes raw configuration data in the response body.

These redirects, often triggered by missing or invalid parameters, unintentionally leak critical information such as:

Leaked Information Role in Application
google_map_key Used for integrating Google Maps functionality
api_key Authentication key for third-party API services
auth_domain Domain used for Firebase authentication
project_id Unique identifier for Firebase project
storage_bucket Cloud storage location for user uploads
messaging_sender_id Identifier for Firebase Cloud Messaging (FCM)
app_id Application identifier used in Firebase and analytics
measurement_id Google Analytics tracking identifier

These values are not meant to be exposed publicly. Their disclosure enables attackers to:

  • Access Firebase resources without authentication
  • Forge requests to third-party APIs using stolen api_key
  • Perform reconnaissance on backend infrastructure
  • Exploit misconfigured storage buckets for data exfiltration

Attack Vector: Redirect Response Leakage

Consider the following example URL:

https://website/ad-list?category=electronics

When the server processes this request and encounters an invalid or missing parameter, it redirects the user—typically to a default page or error handler. However, instead of a clean redirect, the response body contains a JSON payload with full configuration details.

This behavior is a direct result of improper response handling. The application fails to sanitize or remove sensitive data before redirecting, effectively exposing configuration secrets in plain text.

Administrative Panel Exposure

Even more alarming, the same sensitive data is stored in the Firebase Push Notification Configuration section of the admin panel at:

https://website/push-notification

Administrators must log in to access this section, but if the configuration is exposed via redirect responses, attackers can obtain the same data without authentication.

For instance, if an attacker crafts a malicious query:

https://website/ad-list-search?keyword=&lat=&long=&location=&category=&keyword=

the server responds with a redirect containing the full Firebase configuration—potentially allowing unauthorized access to push notification systems, analytics, and cloud storage.

Impact and Risk Assessment

This vulnerability has a high severity impact due to:

  • Information disclosure: Direct exposure of API keys and authentication tokens
  • Privilege escalation: Attackers can bypass authentication mechanisms using stolen credentials
  • Service abuse: Unauthorized use of Firebase services, leading to billing fraud
  • System compromise: Access to storage buckets may lead to data theft or injection attacks

Additionally, since the configuration data is reused across multiple services (Google Maps, Firebase, analytics), a single leak can compromise multiple layers of the application.

Real-World Implications

Imagine a scenario where an attacker:

  1. Scans public URLs on a live Adlisting instance
  2. Extracts the api_key from redirect responses
  3. Uses it to authenticate to a third-party API (e.g., payment gateway)
  4. Creates fraudulent transactions using the application’s credentials

Such abuse can lead to financial loss, data breaches, and reputational damage for the hosting organization.

Recommended Mitigation Strategies

To prevent this vulnerability, developers must implement the following best practices:

  • Sanitize redirect responses: Never include configuration data in redirect body payloads.
  • Use minimal redirects: Redirects should only contain HTTP headers, not body content.
  • Separate configuration from routing logic: Store sensitive data in secure, environment-specific files (e.g., .env) and avoid embedding in web responses.
  • Implement access control: Ensure admin panel endpoints are protected with strong authentication and rate limiting.
  • Enable logging and monitoring: Track unusual access patterns to detect exploitation attempts.

Corrected Code Example

Here’s a corrected version of how redirect handling should be implemented:

function handleRedirect($url, $params) {
    // Validate parameters
    if (!isValid($params)) {
        // Do NOT include sensitive data in response body
        header('Location: /error');
        header('HTTP/1.1 302 Found');
        exit(); // No body content
    }

    // Proceed with valid request
    header('Location: ' . $url);
    header('HTTP/1.1 302 Found');
    exit();
}

Explanation: This code ensures that when a redirect is triggered due to invalid parameters, no sensitive data is included in the response. The redirect only sends HTTP headers, and the body is intentionally empty. This prevents information leakage while maintaining functionality.

Conclusion

The Adlisting Classified Ads 2.14.0 vulnerability highlights a critical flaw in web application design: never expose configuration data through public endpoints. Developers must prioritize security hygiene—especially when handling redirects and error responses.

For users of this software, immediate patching is advised. For vendors and developers, this serves as a reminder: security must be baked into every layer of the application, not just the admin panel.