FirstBlood-#1198 — Modifying appointment
This issue was discovered on FirstBlood v3
On 2022-12-08, pichik reported:
as you create new appointment, you can visit it at
It says 'Modify Appointment', but user cant really modify anything, just cancel it, so user shouldnt be able to modify it.
And its still possible to modify it after cancellation.
But if you click on cancel and intercept the request, there will be new headers coming with request.
These headers are:
Apptid - appointment id
Dob - date of birth
Name - your name
x-site-req: permitted - required for this request
Didnt find any use of
Apptid header, but if you edit
name headers, they will be changed in appointment.
HERE IS POC SCREEN:
Not sure if this has any impact on its own, but as there is no options to change these values for the user, it should not be possible.
Hopefully find better impact for this soon.
FirstBlood ID: 49
Vulnerability Type: Application/Business Logic
Users can modify their name/dob via the header parameters on modify-appointment.php despite this being restricted on the web application