FirstBlood-#104 — New doctors can query appointments and users informations using vulnerable /drpanel/drapi/query.php endpoint
This issue was discovered on FirstBlood v1.0.0
On 2021-05-10, holybugx reported:
By default, new doctors aren't able to query for a patient's appointment information
However, I found out that there is an API endpoint
/drpanel/drapi/query.php?aptid=that queries for appointment information.
I realized "new doctors" can use this API endpoint to query for appointment information and patient's PII.
Steps to reproduce
If you open the
/drpanel/drapi/query.php?aptid=endpoint with an
aptidprovided you can query the appointments information, however, new doctors don't have access to the
If you want to see how this would work, you can use the appointment ID of the user John Smith:
Brute-forcing the Appointment ID of other users
If the attacker wants to access the PII of the other users he needs to have access to the
We already know that "new doctors" don't have access to this, however, because the
aptidis a 8 digit integer and only the last 4 digits are changing, they can be Brute-Forced.
Appointment ID of user "John Smith":
Appointment ID of a random user submitting an appointment:
You can tell that only the last 4 digits are changing, so an attacker can use
5691§FUZZ§to find others and to query for them.
Here is an example Brute-Forcing attack an attacker could do:
- Because it's a 4 digit number Brute-Force, the proper number range should be set as
- You can see the matching ID brings the patient information:
- Patients PII Leakage
If you need any further assistance please let me know.
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.