FirstBlood-#106 — An new user account can bypass security and view all patient data
On 2021-05-10, xnl-h4ck3r reported:
An attacker can create a new user account and access all patient PII data
It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.
/register.phpit says: Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account
- Firstly, it is possible for an attacker to obtain an invite code (e.g. https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/)
- Secondly, an invite code can be used multiple times so an attacker has the opportunity to make use of one already used.
- Thirdly, an attacker is able to register using any user name, not just a Doctor accpunt that has been pre-made (although likely usernames are on
Once registered, the attacker can then access the Manageent panel on
/drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.
- Firstly, the attacker has access to patients full names who have appointments that day, and who have cancelled appointments.
- Secondly, the attacker is able to use endpoint
/drpanel/drapi/qp.phpdirectly to view PII data of all patients.
- Thirdly, the attacker is able to use endpoint
/drpanel/drapi/query.phpdirectly to view PII of patients who have appointments. An appointment ID has to be passed, but an IDOR exists that allows an attacker to enumerate that.
Steps To Reproduce
- Log in as a new user, and observe the message below:
To query patient data
- To bypass this security, send a GET request to
/drpanel/drapi/query.phpwith the cookies of the logged in user, and query parameter of
- Observe the response with data of a patients appointment:
NOTE: An IDOR exists that means the appt value is 5691???? where
????is enumerated by adding 137 to the previous value each time.
To query appointment data
- To bypass this security, send a POST request to
/drpanel/drapi/qp.phpwith the cookies of the logged in user, and post parameter of
- Observe the reponse with data of all patients:
Authorisation controls can be bypassed allowed new users access to patient appointment PII data
register.php, /drpanel/drapi/qp.php, /drpanel/drapi/query.php
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.