FirstBlood-#106An new user account can bypass security and view all patient data
This issue was discovered on FirstBlood v1



On 2021-05-10, xnl-h4ck3r Level 4 reported:

An attacker can create a new user account and access all patient PII data


Summary

It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.

On endpoint /register.php it says: Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account

Once registered, the attacker can then access the Manageent panel on /drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.

  • Firstly, the attacker has access to patients full names who have appointments that day, and who have cancelled appointments.
  • Secondly, the attacker is able to use endpoint /drpanel/drapi/qp.php directly to view PII data of all patients.
  • Thirdly, the attacker is able to use endpoint /drpanel/drapi/query.php directly to view PII of patients who have appointments. An appointment ID has to be passed, but an IDOR exists that allows an attacker to enumerate that.

Steps To Reproduce

  1. Log in as a new user, and observe the message below:

To query patient data

  1. To bypass this security, send a GET request to /drpanel/drapi/query.php with the cookies of the logged in user, and query parameter of aptid=56910619 for example.
  2. Observe the response with data of a patients appointment:

NOTE: An IDOR exists that means the appt value is 5691???? where ???? is enumerated by adding 137 to the previous value each time.

To query appointment data

  1. To bypass this security, send a POST request to /drpanel/drapi/qp.php with the cookies of the logged in user, and post parameter of name=%20.
  2. Observe the reponse with data of all patients:

Impact

Authorisation controls can be bypassed allowed new users access to patient appointment PII data

P2 High

Endpoint: register.php, /drpanel/drapi/qp.php, /drpanel/drapi/query.php

Parameter: n/a

Payload: n/a


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.