FirstBlood-#1198Modifying appointment
This issue was discovered on FirstBlood v3

On 2022-12-08, pichik Level 4 reported:

as you create new appointment, you can visit it at /manageappointment.php?success&aptid=[id].
It says 'Modify Appointment', but user cant really modify anything, just cancel it, so user shouldnt be able to modify it.
And its still possible to modify it after cancellation.
But if you click on cancel and intercept the request, there will be new headers coming with request.
These headers are:

  • Apptid - appointment id
  • Dob - date of birth
  • Name - your name
  • x-site-req: permitted - required for this request

Didnt find any use of Apptid header, but if you edit dob and name headers, they will be changed in appointment.


Not sure if this has any impact on its own, but as there is no options to change these values for the user, it should not be possible.
Hopefully find better impact for this soon.

P4 Low

Endpoint: /api/ma.php

Parameter: Name/Dob Headers

Payload: change

FirstBlood ID: 49
Vulnerability Type: Application/Business Logic

Users can modify their name/dob via the header parameters on modify-appointment.php despite this being restricted on the web application

Report Feedback


Creator & Administrator

Congratulations, you were the first to discover this!