FirstBlood-#105Info leak on reddit leads to create acc with admin privileges



On 2021-05-10, pichik reported:

Description

Hi,
I found invite code that is used for registration leaked in reddit by one of the doctors.
Here is the link:
https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

This can be used here: http://firstbloodhackers.com/register.php to register a new doctor
and get access to /drpanel.

These new account have some limitation of viewing appointments, as it says your account is new and have no privileges to view this,
but this can be easily bypased by sending requests directly from burpsuite .

Limitation bypasses:

  1. To see patient info it shows You are not authorised to view this. Consult your medical administrator.
    But accesing it directly in /drpanel/drapi/query.php?aptid=56910219, we can see everything.
  2. To search for patient it shows As your account is new you are unable to search for patients.
    But sending directly POST request /drpanel/drapi/qp.php with empty name parameter will show every user.

Impact

Impact is critical as this instantly gives us access to admin panel, thus to all user personal data.
This can be also used to lock off other doctors, as this registration can be used to already existing username and change their passwords

P2 High

Endpoint: /register.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues
  • Auth issues


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.