FirstBlood-#105Info leak on reddit leads to create acc with admin privileges
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, pichik Level 4 reported:

Description

Hi,
I found invite code that is used for registration leaked in reddit by one of the doctors.
Here is the link:
https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

This can be used here: http://firstbloodhackers.com/register.php to register a new doctor
and get access to /drpanel.

These new account have some limitation of viewing appointments, as it says your account is new and have no privileges to view this,
but this can be easily bypased by sending requests directly from burpsuite .

Limitation bypasses:

  1. To see patient info it shows You are not authorised to view this. Consult your medical administrator.
    But accesing it directly in /drpanel/drapi/query.php?aptid=56910219, we can see everything.
  2. To search for patient it shows As your account is new you are unable to search for patients.
    But sending directly POST request /drpanel/drapi/qp.php with empty name parameter will show every user.

Impact

Impact is critical as this instantly gives us access to admin panel, thus to all user personal data.
This can be also used to lock off other doctors, as this registration can be used to already existing username and change their passwords

P2 High

Endpoint: /register.php This bug makes use of the following vulnerabilities in a chain:

  • Authorisation Issue
  • Auth issues
  • Auth issues


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.