FirstBlood-#105 — Info leak on reddit leads to create acc with admin privileges
This issue was discovered on FirstBlood v1
On 2021-05-10, pichik Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hi,
I found invite code that is used for registration leaked in reddit by one of the doctors.
Here is the link:
https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/
This can be used here: http://firstbloodhackers.com/register.php to register a new doctor
and get access to /drpanel.
These new account have some limitation of viewing appointments, as it says your account is new and have no privileges to view this,
but this can be easily bypased by sending requests directly from burpsuite .
Limitation bypasses:
- To see patient info it shows You are not authorised to view this. Consult your medical administrator.
But accesing it directly in /drpanel/drapi/query.php?aptid=56910219, we can see everything.
- To search for patient it shows As your account is new you are unable to search for patients.
But sending directly POST request /drpanel/drapi/qp.php with empty name parameter will show every user.
Impact
Impact is critical as this instantly gives us access to admin panel, thus to all user personal data.
This can be also used to lock off other doctors, as this registration can be used to already existing username and change their passwords
P2 High
Endpoint: /register.php
This report contains multiple vulnerabilities:
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.