FirstBlood-#106 — An new user account can bypass security and view all patient data
This issue was discovered on FirstBlood v1
On 2021-05-10, xnl-h4ck3r reported:
An attacker can create a new user account and access all patient PII data
It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.
/register.php it says:
Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account
- Firstly, it is possible for an attacker to obtain an invite code (e.g. https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/)
- Secondly, an invite code can be used multiple times so an attacker has the opportunity to make use of one already used.
- Thirdly, an attacker is able to register using any user name, not just a Doctor accpunt that has been pre-made (although likely usernames are on
Once registered, the attacker can then access the Manageent panel on
/drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.
- Firstly, the attacker has access to patients full names who have appointments that day, and who have cancelled appointments.
- Secondly, the attacker is able to use endpoint
/drpanel/drapi/qp.php directly to view PII data of all patients.
- Thirdly, the attacker is able to use endpoint
/drpanel/drapi/query.php directly to view PII of patients who have appointments. An appointment ID has to be passed, but an IDOR exists that allows an attacker to enumerate that.
Steps To Reproduce
- Log in as a new user, and observe the message below:
To query patient data
- To bypass this security, send a GET request to
/drpanel/drapi/query.php with the cookies of the logged in user, and query parameter of
aptid=56910619 for example.
- Observe the response with data of a patients appointment:
NOTE: An IDOR exists that means the appt value is 5691???? where
???? is enumerated by adding 137 to the previous value each time.
To query appointment data
- To bypass this security, send a POST request to
/drpanel/drapi/qp.php with the cookies of the logged in user, and post parameter of
- Observe the reponse with data of all patients:
Authorisation controls can be bypassed allowed new users access to patient appointment PII data
register.php, /drpanel/drapi/qp.php, /drpanel/drapi/query.php
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.