FirstBlood-#129 — IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, jpdev reported:
Using the aptid paramater found on manageappointment.php, you can use this in place of the id parameter this will ONLY confirm that the numerical id is valid and returns a success message. It does not cancel the appointment. If you do not have access to the drpanel you can you use this bug in a bug chain to amend the messages on the appointment see report 127.
Example of its use in a chain:
Use the below to confirm the id is valid, with the id perform the attack referenced in report id = 127 https://www.bugbountyhunter.com/hackevents/report?id=127
POST /api/ma.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
This report has been publicly disclosed for everyone to view
FirstBlood ID: 6
Vulnerability Type: IDOR
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.