FirstBlood-#104New doctors can query appointments and users informations using vulnerable /drpanel/drapi/query.php endpoint
This issue was discovered on FirstBlood v1

On 2021-05-10, holybugx Level 5 reported:


Hello Sean,

By default, new doctors aren't able to query for a patient's appointment information

However, I found out that there is an API endpoint /drpanel/drapi/query.php?aptid= that queries for appointment information.

I realized "new doctors" can use this API endpoint to query for appointment information and patient's PII.

Steps to reproduce

If you open the /drpanel/drapi/query.php?aptid= endpoint with an aptid provided you can query the appointments information, however, new doctors don't have access to the aptid.

If you want to see how this would work, you can use the appointment ID of the user John Smith:

Brute-forcing the Appointment ID of other users

If the attacker wants to access the PII of the other users he needs to have access to the aptid of them.

We already know that "new doctors" don't have access to this, however, because the aptid is a 8 digit integer and only the last 4 digits are changing, they can be Brute-Forced.

  • Appointment ID of user "John Smith": aptid: 56910219

  • Appointment ID of a random user submitting an appointment: aptid: 56913137

You can tell that only the last 4 digits are changing, so an attacker can use 5691§FUZZ§ to find others and to query for them.

Here is an example Brute-Forcing attack an attacker could do:

  • Because it's a 4 digit number Brute-Force, the proper number range should be set as 0000-9999
  • You can see the matching ID brings the patient information:


  • Patients PII Leakage

If you need any further assistance please let me know.

Best Regards,





FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.