FirstBlood-#1209 — Leakage of all users assigned to ambulances
This issue was discovered on FirstBlood v3
On 2022-12-08, pichik reported:
Finally something more interesting.
I found a bug where all users , which are assigned to ambulances are leaked.
If you want to be assinged to ambulance, you need to add parameter
ambulance=1, during appointment creation.
This parameter can be easily guessed after trying to retreive ambulance at
/ambulance.php without any id, as error is pretty straight forward:
Error: Ambulance has not been enabled for this appointment. Make sure to enable it when making an appointment
Here is screenshot of how to add ambulance to your appointment:
(Not sure if this is bug on its own, if only doctors should be able to assign appointments to ambulances, as people can easily abuse this function and spam it)
After that you can go here
/ambulance.php enter your appointment id and track your ambulance.
During this proccess there is call on api endpoint
/api/ambulances.php?select=[id], which will find your ambulance.
select parameter is vulnerable to attack, which can retreive all ambulances and their users.
Everything you need to do is change
all and everything is shown:
User names, IDs of their appointments, everything.
This should not be visible to other users as it contains PII.
Remove option to enumerate
all from public search.
FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure
The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied